Lead2pass.Microsoft.70-640.v12.39 - GRATIS EXAM · 4/27/2012 · "First Test, First Pass" - 4 Microsoft 70-640 Exam C. Revoke the current key recovery agent certificates and issue

Lead2pass.Microsoft.70-640.v12.39.330

Number: 70-640Passing Score: 800Time Limit: 120 minFile Version: 12.39

http://www.gratisexam.com/

Copyright ?2006-2011 Lead2pass.com , All Rights Reserved.

Vendor: Microsoft

Exam Code: 70-640

Exam Name: TS: Windows Server 2008 Active Directory, Configuring

Version: 12.39

Important Notice

ProductOur Product Manager keeps an eye for Exam updates by Vendors. Free update is available within 150 daysafter your purchase.

You can login member center and download the latest product anytime. (Product downloaded from membercenter is always the latest.)

PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam again.

FeedbackWe devote to promote the product quality and the grade of service to ensure customers interest.

If you have any suggestions, please feel free to contact us [email protected]

If you have any questions about our product, please provide Exam Number, Version, Page Number, QuestionNumber, and your Login Account to us, please contact us [email protected] and our technicalexperts will provide support in 24 hours.

CopyrightThe product of each order has its own encryption code, so you should use it independently. Any unauthorizedchanges will be inflicted legal punishment. We reserve the right of final explanation for this statement.Microsoft 70-640 Exam

Exam A

QUESTION 1You install a standalone root certification authority (CA) on a server named Server1. You need to ensure thatevery computer in the forest has a copy of the root CA certificate installed in the local computer's Trusted RootCertification Authorities store.Which command should you run on Server1?

A. certreq.exe and specify the -accept parameterB. certreq.exe and specify the -retrieve parameterC. certutil.exe and specify the -dspublish parameterD. certutil.exe and specify the -importcert parameter

Correct Answer: CSection: (none)Explanation

QUESTION 2Your network contains an Active Directory forest. The forest contains two domains. You have a standalone rootcertification authority (CA). On a server in the child domain, you run the Add Roles Wizard and discover that theoption to select an enterprise CA is disabled. You need to install an enterprise subordinate CA on the server.What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domainC. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain

Correct Answer: DSection: (none)Explanation

QUESTION 3You have an enterprise subordinate certification authority (CA).You have a group named Group1.You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must notbe allowed to revoke certificates.What should you do?

A. Add Group1 to the local Administrators group.B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.


QUESTION 4You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued.The CA is configured to use two recovery agents.You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

A. Add a data recovery agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.

"First Test, First Pass" - www.lead2pass.com 4Microsoft 70-640 Exam

C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.

Correct Answer: BSection: (none)Explanation

QUESTION 5You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardwaresecurity module.You need to back up Active Directory Certificate Services on the CA.Which command should you run?

A. certutil.exe -backupB. certutil.exe -backupdbC. certutil.exe -backupkeyD. certutil.exe -store

Correct Answer: ASection: (none)Explanation

QUESTION 6You have Active Directory Certificate Services (AD CS) deployed.You create a custom certificate template.You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)


A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:

QUESTION 7You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificatetemplate. Users can enroll for certificates based on the custom certificate template by using the Certificatesconsole. The certificate template is unavailable for Web enrollment. You need to ensure that the certificatetemplate is available on the Web enrollment pages.What should you do?

A. Run certutil.exe -pulse.B. Run certutil.exe -installcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.


QUESTION 8You have an enterprise subordinate certification authority (CA).


You have a custom certificate template that has a key length of 1,024 bits. The template is enabled forautoenrollment.You increase the template key length to 2,048 bits.You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.Which console should you use?

A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management


QUESTION 9Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.The functional level of the domain is Windows Server 2003.You have a certification authority (CA).The relevant servers in the domain are configured as shown in the following table:

Server name Operating system Server role

Server1 Windows Server 2003 Enterprise root CA

Server2 Windows Server 2008 Enterprise subordinate CA

Server3 Windows Server 2008 R2 Web Server

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.


QUESTION 10Your company has an Active Directory forest that contains multiple domain controllers. The domain controllersrun Windows Server 2008.You need to perform an an authoritative restore of a deleted orgainzational unit and its child objects. Which fouractions should you perform in sequence? (To answer, move the appropriate four actions from the list of actionsto the answer area, and arrange them in the correct order.)


A.B.C.D.

Correct Answer: Section: (none)Explanation


QUESTION 11Your network contains an Active Directory domain named contoso.com The properties of the contoso.com DNSzone are configured as shown in the exhibit. You need to update all service location (SRV) records for a domaincontroller in the domain.What should you do?


A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.


Explanation/Reference:"First Test, First Pass" - www.lead2pass.com 8Microsoft 70-640 Exam

QUESTION 12Your network contains an Active Directory domain. The domain contains a group named Group1. The minimumpassword lenght for the domain is set to six characters. you need to ensure that the passwords for all users inGroup1 are at least 10 characters long. All other users must be able to use passwords that are six characterslong.What should you do first?

A. Run the New-ADFineGrainedPasswordPolicy cmdlet.B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.


QUESTION 13Your network contains an Active Directory domain.A user named User1 takes a leave of absence for one year.You need to restrict access to the User1 user account while User1 is away.What should you do?

A. From the Default Domain Policy, modify the account lockout settings.B. From the Default Domain Controller Policy, modify the account lockout settings.

C. From the properties of the user account, modify the Account options.D. From the properties of the user account, modify the Session settings.


QUESTION 14Your network contains 10 domain controllers that run Windows 2008 Server R2. The network contains amember server that is configured to collect all of the events that occur on the domain controllers.Your need to ensure that administrators are notified when a specific event occurs on any of the domaincontrollers. You want to achive the goal by using the minimum amount effort.What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller,run the Create Basic Task Wizard.


QUESTION 15Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.What should you do first?

A. At the command prompt, run net stop ntds."First Test, First Pass" - www.lead2pass.com 9Microsoft 70-640 Exam

B. At the command prompt, run net stop netlogon.C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).


QUESTION 16Your company uses an application that stores data in an Active Directory Lightweight Directory Services (ADLDS) instance named instance1.You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.) You need toensure that you can take a snapshot of Instance1.What should you do?

A. At the command prompt, run net start VSS.B. At the command prompt, run net start Instance1.C. Set the Start Type for the Instance1 service to Disabled.D. Set the Start Type for the Volume Shadow Copy Service (VSS) to Manual.


QUESTION 17Your network contains an Active Directory domain named contoso.com. All domain controllers and memberservers run Windows Server 2008. All client computers run Windows 7. From a client computer, you create anaudit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy GroupPolicy object (GPO). You discover that the audit policy is not applied to the member servers. The audit policy isapplied to the client computers.You need to ensure that the audit policy is applied to all member servers and all client computers.What should you do?

A. Add a WMI filter to the Default Domain Policy GPOB. Modify the security settings of the Default Domain Policy GPOC. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.



QUESTION 18Your network contains an Active Directory domain. The domain contains 1000 user accounts. You have a listthat contains the mobile phone number of each user You need to add the mobile number of each user to ActiveDirectory.What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exeB. Create a file that contains the mobile phone numbers, and then run csvde.exeC. From Adsiedit, select the CN=Users container, and then mofify the properties of the container.D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the

users.


QUESTION 19Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way foresttrust exists between contoso.com and nwtraders.com. The forest trust is configured to use selectiveauthentication. Contoso.com contains a server named Server1. Server1 contains a shared folder namedMarketing. Nwtraders.com contains a global group named G_Marketing. The Change share permission and theModify NTFS permissions for the Marketing folder are assigned to the G_Marketing group.Members of G_Marketing report that they cannot accesss the Marketing folder. You need to ensure that theG_Marketing members can accesss the folder from the network.What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folderB. From Windows Explorer, modify the share permissions of the folderC. From Active Directory Users and Computers, modify the computer object for Server1D. From Active Directory Users and Computers, modify the group object for G_Marketing


QUESTION 20Your network contains an Active Directory domain named contoso.com. Contoso.com contains threeservers.The servers are configure as shown in the following table.

Server name Server role ServiceServer1 Certification authority (CA)

Server2 Certificate Enrollment Web ServiceServer3 Certificate Enrollment Policy Web Service

You need to ensure that users can manually enroll and renew their certificates by using the CertificateEnrollment Web Service.Which two actions should you perform? (Each corrent answer presents part of the solution.(Choose two).

A. Configure the policy module setting."First Test, First Pass" - www.lead2pass.com 11Microsoft 70-640 Exam

B. Configure the issuance requirements for the certificate templates.C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.D. Configure the delegation setting for the Certification Enrollment Web Service application pool account.

Correct Answer: BCSection: (none)Explanation

QUESTION 21Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Serever 2008 Standard.You need to install an enterprise subordinate certification authority (CA) that support private key archival. Youmust achieve this goal by using the minimum amount of administrative effort.What do you do first?

A. Initialize the Trusted Platform Module (TPM)B. Upgrade the member server to Windows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.


QUESTION 22Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) thatruns Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch officeare able to log on to the domain by using the RODC. What should you do?

A. Add another RODC to the branch office.B. Configure a new bridgehead server in the main office.C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services

console.D. Configure the Password Replication Policy on the RODC.


QUESTION 23Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run

Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamicallyregister their DNS records. You need to configure the intranet.adatum.com zone to allow only domain membersto dynamically register DNS records.What should you do?

A. Set dynamic updates to Secure Only.B. Remove the Authenticated Users group.C. Enable zone transfers to Name Servers.D. Deny the Everyone group the Create All Child Objects permission.



QUESTION 24An Active Directory database is installed on the C volume of a domain controller. You need to move the ActiveDirectory database to a new volume. What should you do?

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.B. Move the ntds.dit file to the new volume by using Windows Explorer.C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows

PowerShell.D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.


QUESTION 25Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need toimplement key archival. What should you do?

A. Configure the certificate for automatic enrollment for the computers that store encrypted files.B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.C. Apply the Hisecdc security template to the domain controllers.D. Archive the private key on the server.


QUESTION 26Your company has a main office and three branch offices. The company has an Active Directory forest that hasa single domain. Each office has one domain controller. Each office is configured as an Active Directory site. Allsites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latencybetween the domain controllers. What should you do?

A. Decrease the replication schedule for the DEFAULTIPSITELINK object.B. Decrease the replication interval for the DEFAULTIPSITELINK object.

C. Decrease the cost between the connection objects.D. Decrease the replication interval for all connection objects.


QUESTION 27Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run onlydomain controllers that run Windows Server 2008. The domain functional level of contoso.com is WindowsServer 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configurean external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryptionoption. What should you do?

A. Raise the forest functional level of fabrikam.com to Windows Server 2008.B. Raise the domain functional level of fabrikam.com to Windows Server 2008.C. Raise the forest functional level of contoso.com to Windows Server 2008.D. Create a new forest trust and enable forest-wide authentication.



QUESTION 28You need to remove the Active Directory Domain Services role from a domain controller named DC1. Whatshould you do?

A. Run the netdom remove DC1 command.B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.C. Run the nltest /remove_server: DC1 command.D. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.


QUESTION 29Your company network has an Active Directory forest that has one parent domain and one child domain. Thechild domain has two domain controllers that run Windows Server 2008. All user accounts from the childdomain are migrated to the parent domain. The child domain is scheduled to be decommissioned. You need toremove the child domain from the Active Directory forest. What are two possible ways to achieve this goal?(Each correct answer presents a complete solution. Choose two.)

A. Run the Computer Management console to stop the Domain Controller service on both domain controllersin the child domain.

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationshipbetween the parent domain and the child domain.

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domainservices role.

D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.

Correct Answer: CDSection: (none)Explanation

QUESTION 30Your network contains an Active Directory forest. All client computers run Windows 7. The network contains ahigh-volume enterprise certification authority (CA). You need to minimize the amount of network bandwidthrequired to validate a certificate.What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).B. Configure an Online Certification Status Protocol (OCSP) responder.C. Modify the settings of the delta certificate revocation list (CRL).D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).


QUESTION 31Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.


Which two tasks should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Run the adprep /forestprep command.B. Run the adprep /domainprep command.C. Raise the forest functional level to Windows Server 2008.D. Raise the domain functional level to Windows Server 2008.

Correct Answer: ABSection: (none)Explanation

QUESTION 32Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.You install Windows Server 2008 R2 on a server.You need to add the new server as a domain controller in your domain.What should you do first?

A. On the new server, run dcpromo /adv.B. On the new server, run dcpromo /createdcaccount.C. On a domain controller run adprep /rodcprep.D. On a domain controller, run adprep /forestprep.


QUESTION 33Your company has two Active Directory forests as shown in the following table:

Forest name Forest functional level Domain(s)

contoso.com Windows Server 2008 contoso.com

fabrikam.com Windows Server 2008 fabrikam.com eng.fabrikam.com

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wideauthentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain toaccess resources in the contoso.com domain. You need to configure the forest trust to meet the new securitypolicy requirement.What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.B. Delete the incoming forest trust in the contoso.com domain.C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide

authentication to Selective authentication.D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude

*.eng.fabrikam.com from the Name Suffix Routing trust properties.


QUESTION 34You have an existing Active Directory site named Site1.You create a new Active Directory site and name it Site2.


You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.You create the site link between Site1 and Site2.What should you do next?

A. Use the Active Directory Sites and Services console to configure a new site link bridge object.B. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.C. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2.

Move the new domain controller object to Site2.D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred

bridgehead server for Site1.


QUESTION 35Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol sharereplicates by using DFS Replication (DFS-R).What should you do?

A. From the command prompt, run netdom /reset.B. From the command prompt, run dfsutil /addroot:sysvol.C. Raise the functional level of the domain to Windows Server 2008 R2.D. From the command prompt, run dcpromo /unattend:unattendfile.xml.


QUESTION 36Your company has a branch office that is configured as a separate Active Directory site and has an ActiveDirectory domain controller.The Active Directory site requires a local Global Catalog server to support a new application. You need toconfigure the domain controller as a Global Catalog server.Which tool should you use?

A. The Dcpromo.exe utilityB. The Server Manager consoleC. The Computer Management consoleD. The Active Directory Sites and Services consoleE. The Active Directory Domains and Trusts console


QUESTION 37Your company has a main office and 10 branch offices. Each branch office has an Active Directory site thatcontains one domain controller.Only domain controllers in the main office are configured as Global Catalog servers. You need to deactivate theUniversal Group Membership Caching option on the domain controllers in the branch offices.At which level should you deactivate the Universal Group Membership Caching option?


A. SiteB. ServerC. DomainD. Connection object


QUESTION 38Your company has an Active Directory forest. Not all domain controllers in the forest are configured as GlobalCatalog Servers. Your domain structure contains one root domain and one child domain.You modify the folder permissions on a file server that is in the child domain. You discover that some AccessControl entries start with S-1-5-21... and that no account name is listed.You need to list the account names.What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global

Catalog.


QUESTION 39Your company has an Active Directory domain.You log on to the domain controller. The Active Directory Schema snap-in is not available in the MicrosoftManagement Console (MMC).You need to access the Active Directory Schema snap-in.What should you do?

A. Register Schmmgmt.dll.B. Log off and log on again by using an account that is a member of the Schema Admins group.C. Use the Ntdsutil.exe command to connect to the schema master operations master and open the schema

for writing.D. Add the Active Directory Lightweight Directory Services (AD/LDS) role to the domain controller by using

Server Manager.


QUESTION 40Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operationsmaster roles.DC1 fails.You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations masterroles to their original state. You perform a metadata cleanup and remove all references of DC1.Which three actions should you perform next?(To answer, move the appropriate actions from the list of actions to the answer area and arrange


them in the correct order.)

A.B.C.D.



QUESTION 41You are decommissioning one of the domain controllers in a child domain. You need to transfer all domainoperations master roles within the child domain to a newly installed domain controller in the same child domain.Which three domain operations master roles should you transfer? (Each correct answer presents part of thesolution. Choose three.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: ABDSection: (none)Explanation

QUESTION 42Your company has an Active Directory domain. The company has two domain controllers named DC1 andDC2. DC1 holds the schema master role.DC1 fails. You log on to Active Directory by using the administrator account.You are not able to transfer the schema master role.You need to ensure that DC2 holds the schema master role.What should you do?

A. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.B. Configure DC2 as a bridgehead server.C. On DC2, seize the schema master role.D. Log off and log on again to Active Directory by using an account that is a member of the Schema Admins

group. Start the Active Directory Schema snap-in."First Test, First Pass" - www.lead2pass.com 18Microsoft 70-640 Exam


QUESTION 43You are decommissioning domain controllers that hold all forest-wide operations master roles. You need totransfer all forest-wide operations master roles to another domain controller.Which two roles should you transfer?(Each correct answer presents part of the solution. Choose two.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: CESection: (none)Explanation

QUESTION 44Your company has a server that runs an instance of Active Directory Lightweight Directory Services (AD LDS).You need to create new organizational units in the AD LDS application directory partition.What should you do?

A. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDSapplication directory partition.

B. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.D. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.

Correct Answer: B

Section: (none)Explanation

QUESTION 45Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).You need to replicate the AD LDS instance on a test computer that is located on the network.What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.B. Create a naming context by running the Dsmgmt command on the test computer.C. Create a new directory partition by running the Dsmgmt command on the test computer.D. Create and install a replica by running the AD LDS Setup wizard on the test computer.


QUESTION 46Your company has an Active Directory Rights Management Services (AD RMS) server. Users have WindowsVista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.You need to configure AD RMS so that users are able to protect their documents.What should you do?


A. Install the AD RMS client 2.0 on each client computer.B. Add the RMS service account to the local administrators group on the AD RMS server.C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.


QUESTION 47Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.You implement Active Directory Rights Management Services (AD RMS).You install Microsoft SQL Server 2005.When you attempt to open the AD RMS administration Web site, you receive the following error message:"SQL Server does not exist or access denied."You need to open the AD RMS administration Web site.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Restart IIS.B. Install Message Queuing.C. Start the MSSQLSVC service.D. Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD

RMS.

Correct Answer: AC


QUESTION 48Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one ofthe branch offices.You need to identify the user accounts that were cached on the stolen RODC server.Which utility should you use?

A. Dsmod.exeB. Ntdsutil.exeC. Active Directory Sites and ServicesD. Active Directory Users and Computers


QUESTION 49Your company has an Active Directory forest that contains a single domain. The domain member server has anActive Directory Federation Services (AD FS) server role installed. You need to configure AD FS to ensure thatAD FS tokens contain information from the Active Directory domain.What should you do?

A. Add and configure a new account store.B. Add and configure a new account partner.


C. Add and configure a new resource partner.D. Add and configure a Claims-aware application.


QUESTION 50A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.You need to enable the user to join a single computer to the domain. You must ensure that the user is deniedany additional rights beyond those required to complete the task.What should you do?

A. Prestage the computer account in the Active Directory domain.B. Add the user to the Domain Administrators group for one day.C. Add the user to the Server Operators group in the Active Directory domain.D. Grant the user the right to log on locally by using a Group Policy Object (GPO).


QUESTION 51

Your company's security policy requires complex passwords.You have a comma delimited file named import.csv that contains user account information. You need to createuser accounts in the domain by using the import.csv file. You also need to ensure that the new user accountsare set to use default passwords and are disabled.What should you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde -i-k -f import.csv command.Run the DSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command.Run the DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command.Run the DSADD utility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run the ldifde -i-f import.csv command.Run the DSADD utility to set passwords for the imported user accounts.


QUESTION 52Your company hires 10 new employees.You want the new employees to connect to the main office through a VPN connection. You create new useraccounts and grant the new employees the Allow Read and Allow Execute permissions to shared resources inthe main office.The new employees are unable to access shared resources in the main office. You need to ensure that usersare able to establish a VPN connection to the main office.What should you do?

A. Grant the new employees the Allow Full control permission.B. Grant the new employees the Allow Access Dial-in permission.C. Add the new employees to the Remote Desktop Users security group.


D. Add the new employees to the Windows Authorization Access security group.


QUESTION 53You need to relocate the existing user and computer objects in your company to different organizational units.What are two possible ways to achieve this goal?(Each correct answer presents a complete solution. Choose two.)

A. Run the Dsmove utility.B. Run the Active Directory Migration Tool (ADMT).C. Run the Active Directory Users and Computers utility.D. Run the move-item command in the Microsoft Windows PowerShell utility.

Correct Answer: ACSection: (none)Explanation

QUESTION 54You want users to log on to Active Directory by using a new User Principal Name (UPN). You need to modifythe UPN suffix for all user accounts.Which tool should you use?

A. DsmodB. NetdomC. RedirusrD. Active Directory Domains and Trusts


QUESTION 55You are installing an application on a computer that runs Windows Server 2008 R2. During installation, theapplication will need to add new attributes and classes to the Active Directory database.You need to ensure that you can install the application.What should you do?

A. Change the functional level of the forest to Windows Server 2008 R2.B. Log on by using an account that has Server Operator rights.C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the

application.D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install

the application.


QUESTION 56Your company has an organizational unit named Production. The Production organizational unit has a childorganizational unit named R&D.You create a GPO named Software Deployment and link it to the Production organizational unit.You create a shadow group for the R&D organizational unit.


You need to deploy an application to users in the Production organizational unit. You also need to ensure thatthe application is not deployed to users in the R&D organizational unit. What are two possible ways to achievethis goal?(Each correct answer presents a complete solution. Choose two.)

A. Configure the Enforce setting on the software deployment GPO.B. Configure the Block Inheritance setting on the R&D organizational unit.C. Configure the Block Inheritance setting on the Production organizational unit.D. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D

security group.

Correct Answer: BDSection: (none)Explanation

QUESTION 57Your company has an Active Directory domain that has an organizational unit named Sales. The Salesorganizational unit contains two global security groups named sales managers and sales executives.You need to apply desktop restrictions to the sales executives group. You must not apply these desktoprestrictions to the sales managers group. You create a GPO named DesktopLockdown and link it to the Salesorganizational unit.What should you do next?

A. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.C. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.D. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.


QUESTION 58Your company has an Active Directory forest. The company has branch offices in three locations.Each location has an organizational unit.You need to ensure that the branch office administrators are able to create and apply GPOs only to theirrespective organizational units.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.B. Modify the Managed By tab in each organizational unit to add the branch office administrators to their

respective organizational units.C. Run the Delegation of Control Wizard and delegate the right to link GPOs for the domain to the branch

office administrators.D. Run the Delegation of Control Wizard and delegate the right to link GPOs for their branch organizational

units to the branch office administrators.



QUESTION 59Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administratorsof the subsidiary company must use the French-language version of the administrative templates.You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR. You need to ensure that the French-language version of the templates isavailable.What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site.Copy the ADM files to the FR folder.

B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator.

C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR

folder on the subsidiary PDC emulator.D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder

on the subsidiary PDC emulator.


QUESTION 60A server named DC1 has the Active Directory Domain Services (AD?DS) role and the Active DirectoryLightweight Directory Services (AD?LDS) role installed. An AD? LDS instance named LDS1 stores its data onthe C: drive.You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform in sequence?(To answer, move the three appropriate actions from the list of actions to the answer area and arrange them inthe correct order.)

A.B.C.D.



QUESTION 61Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 andclient computers that run Windows 7.The domain uses a set of GPO administrative templates that have been approved to support regulatorycompliance requirements.Your partner company has an Active Directory forest that contains a single domain. The company has serversthat run Windows Server 2008 R2 and client computers that run Windows 7. You need to configure yourpartner company's domain to use the approved set of administrative templates.What should you do?

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, importthe GPO to the default domain policy.

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Website. Copy the ADM files to the PolicyDefinitions folder on the partner company's PDC emulator.


QUESTION 62Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers andDNS servers. All client computers run Windows XP SP3. You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store.What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.C. Install .NET Framework 3.0 on your client computers.

D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to thePolicyDefinitions folder.


QUESTION 63"First Test, First Pass" - www.lead2pass.com 25Microsoft 70-640 Exam

Your company purchases a new application to deploy on 200 computers. The application requires that youmodify the registry on each target computer before you install the application. The registry modifications are in afile that has an .adm extension. You need to prepare the target computers for the application.What should you do?

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unitthat contains the target computers.

B. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each targetcomputer.

C. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.Run the REDIRUsr CONTAINER-DN command on each target computer.

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.Run the REDIRCmp CONTAINER-DN command on each target computer.


QUESTION 64Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.The TempWorkers group is not nested in any other groups. You move the computer objects of three fileservers to a new organizational unit named SecureServers. These file servers contain only confidential data inshared folders. You need to prevent members of the TempWorkers group from accessing the confidential dataon the file servers. You must achieve this goal without affecting access to other domain resources.What should you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to thiscomputer from the network user right to the TempWorkers global group.

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the networkuser right to the TempWorkers global group.

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkersglobal group.

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally userright to the TempWorkers global group.


QUESTION 65All consultants belong to a global group named TempWorkers. You place three file servers in a neworganizational unit named SecureServers. The three file servers contain confidential data located in sharedfolders. You need to record any failed attempts made by the consultants to access the confidential data.

Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege useFailure audit policy setting.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object accessFailure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to thiscomputer from the network user rights setting for the TempWorkers global group.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure "FirstTest, First Pass" - www.lead2pass.com 26Microsoft 70-640 Examthe Failed Full control setting in the Auditing Entry dialog box.

E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.Configure the Failed Full control setting in the Auditing Entry dialog box.

Correct Answer: BESection: (none)Explanation

QUESTION 66Your company has an Active Directory domain and an organizational unit. The organizational unit is namedWeb. You configure and test new security settings for Internet Information Service (IIS) servers on a servernamed IISServerA.You need to deploy the new security settings only on the IIS servers that are members of the Weborganizational unit.What should you do?

A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, and then run secedit /configure /db webou.inf from the command prompt.

B. Export the settings on IISServerA to create a security template. Import the security template into a GPO andlink the GPO to the Web organizational unit.

C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf fromthe command prompt.

D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.


QUESTION 67Your company has an Active Directory forest that contains client computers that run Windows Vista andWindows XP.You need to ensure that users are able to install approved application updates on their computers.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Set up Automatic Updates through Control Panel on the client computers.B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically

search for updates on the Microsoft Update site.C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows

Server Update Services (WSUS) server for approved updates.D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on

the Internet. Approve all required updates.


QUESTION 68Your company has an Active Directory forest. Each branch office has an organizational unit and a childorganizational unit named Sales.The Sales organizational unit contains all users and computers of the sales department. You need to install aMicrosoft Office 2007 application only on the computers in the Sales organizational unit.You create a GPO named SalesApp GPO.What should you do next?

A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to "FirstTest, First Pass" - www.lead2pass.com 27Microsoft 70-640 Examthe domain.

B. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

D. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Salesorganizational unit in each location.


QUESTION 69Your company has an Active Directory forest. The forest includes organizational units corresponding to thefollowing four locations:

LondonChicagoNew YorkMadrid

Each location has a child organizational unit named Sales. The Sales organizational unit contains all the usersand computers from the sales department.The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid isconnected by a 256-Kbps ISDN connection.You need to install an application on all the computers in the sales department.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Disable the slow link detection setting in the Group Policy Object (GPO).B. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).C. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.

Link the GPO to each Sales organizational unit.D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers.

Link the GPO to each Sales organizational unit.


QUESTION 70Your company has an Active Directory forest. The company has three locations. Each location has anorganizational unit and a child organizational unit named Sales. The Sales organizational unit contains all usersand computers of the sales department. The company plans to deploy a Microsoft Office 2007 application on allcomputers within the three Sales organizational units.You need to ensure that the Office 2007 application is installed only on the computers in the Salesorganizational units.What should you do?

A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the domain.

B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location."First Test, First Pass" - www.lead2pass.com 28Microsoft 70-640 Exam

D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.


QUESTION 71The default domain GPO in your company is configured by using the following account policy settings:

- Minimum password length: 8 characters- Maximum password age: 30 days- Enforce password history: 12 passwords remembered- Account lockout threshold: 3 invalid logon attempts .Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQLServer application uses a service account named SQLSrv.The SQLSrv account has domain user rights.The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is notlocked out.You need to resolve the server failure and prevent recurrence of the failure.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Reset the password of the SQLSrv user account.B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user

account.C. Configure the properties of the SQLSrv account to Password never expires.D. Configure the properties of the SQLSrv account to User cannot change password.E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon

locally user right.


QUESTION 72You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked outfor 5 minutes.Which three actions should you perform?(Each correct answer presents part of the solution. Choose three.)

A. Set the Minimum password age setting to one day.B. Set the Maximum password age setting to one day.C. Set the Account lockout duration setting to 5 minutes.D. Set the Reset account lockout counter after setting to 5 minutes.E. Set the Account lockout threshold setting to 3 invalid logon attempts.F. Set the Enforce password history setting to 3 passwords remembered.

Correct Answer: CDESection: (none)Explanation

QUESTION 73Your company has an Active Directory domain.


A user attempts to log on to the domain from a client computer and receives the following message: "This useraccount has expired. Ask your administrator to reactivate the account." You need to ensure that the user is ableto log on to the domain.What should you do?

A. Modify the properties of the user account to set the account to never expire.B. Modify the properties of the user account to extend the Logon Hours setting.C. Modify the properties of the user account to set the password to never expire.D. Modify the default domain policy to decrease the account lockout duration.


QUESTION 74Your network consists of a single Active Directory domain. User accounts for engineering department arelocated in an OU named Engineering.You need to create a password policy for the engineering department that is different from your domainpassword policy.What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.

Correct Answer: C


QUESTION 75Your company has a domain controller that runs Windows Server 2008. The domain controller has the backupfeatures installed. You need to perform a non-authoritative restore of the doman controller using an existingbackup file. What should you do?

A. Boot into Directory Services Restore Mode and use wbadmin to restore critical volumeB. Boot into Directory Services Restore Mode and use the backup snap-in to restore critical volumeC. Boot into Safe Mode and use wbadmin to restore critical volumeD. Boot into Safe Mode and use the backup snap-in to restore critical volume


QUESTION 76Your company has an Active Directory forest that contains two domains, The forest has universal groups thatcontain members from each domain, A branch office has a domain controller named DC1,Users at the branch office report that the logon process takes too long, You need to decrease the amount oftime it takes for the branch office users to logon, What should you do?

A. Configure DC1 as a Global Catalog server,"First Test, First Pass" - www.lead2pass.com 30Microsoft 70-640 Exam

B. Configure DC1 as a bridgehead server for the branch office site,C. Decrease the replication interval on the site link that connects the branch office to the corporate network,D. Increase the replication interval on the site link that connects the branch office to the corporate network.


QUESTION 77Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty usersreport that they are unable to log on to the domain. You need to register the SRV records. Which commandshould you run on the new domain controller?

A. Run the netsh interface reset command.B. Run the ipconfig /flushdns command.C. Run the dnscmd /EnlistDirectoryPartition command.D. Run the sc stop netlogon command followed by the sc start netlogon command.


QUESTION 78Your company uses shared folders. Users are granted access to the shared folders by using domain localgroups. One of the shared folders contains confidential data. You need to ensure that unauthorized users arenot able to access the shared folder that contains confidential data. What should you do?

A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users byusing the Dsmod utility.

B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full controlpermission on the shared folders that hold the confidential data for the Guest account.

C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in tothe Deny DLG group. Configure the Allow Full control permission on the shared folder that hold theconfidential data for the Deny DLG group.

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorizedusers in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that holdthe confidential data for the Deny DLG group.


QUESTION 79You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. TheFileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance andperformance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Whichutility you will use to convert basic disks to dynamic disks on FileSrv1?

A. Diskpart.exeB. Chkdsk.exeC. Fsutil.exeD. Fdisk.exe


E. None of the above


QUESTION 80ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boosts 40 WindowsVista client machines. As an administrator at ABC.com, you want to deploy Active Directory Certificate service(AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificatesettings on all machines in a domain from one main location?

A. Configure Enterprise CA certificate settingsB. Configure Enterprise trust certificate settingsC. Configure Advance CA certificate settingsD. Configure Group Policy certificate settingsE. All of the above


QUESTION 81You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

What tool should you use?

A. dsmodB. ntdsutilC. Local Users and Groups snap-inD. Active Directory Users and Computers snap-in


QUESTION 82A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for thedomain has been completed and unnecessary objects have been deleted. You need to perform an offlinedefragmentation of the Active Directory database on DC12. You also need to ensure that the critical servicesremain online.What should you do?

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC).

Run the Defrag utility.D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC).

Run the Ntdsutil utility.


QUESTION 83You need to identify all failed logon attempts on the domain controllers.


What should you do?

A. Run Event Viewer.B. View the Netlogon.log file.C. Run the Security Configuration Wizard.D. View the Security tab on the domain controller computer object.


QUESTION 84You create 200 new user accounts. The users are located in six different sites. New users report that theyreceive the following error message when they try to log on: "The username or password is incorrect."You confirm that the user accounts exist and are enabled.You also confirm that the user name and password information supplied are correct.You need to identify the cause of the failure.You also need to ensure that the new users are able to log on.

Which utility should you run?

A. RsdiagB. RstoolsC. RepadminD. Active Directory Domains and Trusts


QUESTION 85You need to validate whether Active Directory successfully replicated between two domain controllers.What should you do?

A. Run the DSget command.B. Run the Dsquery command.C. Run the RepAdmin command.D. Run the Windows System Resource Manager.


QUESTION 86Your network consists of a single Active Directory domain.? All domain controllers run Windows Server 2008R2.You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amountof available CPU resources on a domain controller.What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.D. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.



QUESTION 87Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to capture all replication errors from all domain controllers to a central location.What should you do?

A. Configure event log subscriptions.B. Start the System Performance data collector set.C. Start the Active Directory Diagnostics data collector set.D. Install Network Monitor and create a new capture.


QUESTION 88You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certificationauthority (CA) server that meets the following requirements:

- Allows the certification authority to automatically issue certificates- Integrates with Active Directory Domain Services

What should you do?

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA .B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA .C. Purchase a certificate from a third-party certification authority. Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA .D. Purchase a certificate from a third-party certification authority. Import the certificate into the computer store

of the schema master.


QUESTION 89Your company has an Active Directory forest.You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server. When youattempt to add the Active Directory Certificate Services (AD CS) server role, you find that the Enterprise CAoption is not available.You need to install the AD CS (Certificate Services) server role as an Enterprise CA.What should you do first?

A. Add the DNS Server server role.B. Join the server to the domain.C. Add the Web Server (IIS) server role and the AD?CS server role.D. Add the Active Directory Lightweight Directory Services (AD?LDS) server role.


QUESTION 90You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role


installed.You need to minimize the amount of time it takes for client computers to download a certificate revocation list(CRL).What should you do?

A. Install and configure an Online Responder.B. Install and configure an additional domain controller.

C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.


QUESTION 91You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80 frombeing opened on domain controllers and on the issuing CA . You need to allow users to request certificatesfrom a Web interface. You install the Active Directory Certificate Services (AD CS) server role.What should you do next?

A. Configure the Online Responder Role Service on a member server.B. Configure the Online Responder Role Service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.


QUESTION 92Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS)is configured as a standalone Certification Authority (CA) on the server. You need to audit changes to the CAconfiguration settings and the CA security settings.Which two tasks should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Configure auditing in the Certification Authority snap-in.B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%

\CertSrv directory.C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate

Services (AD CS) server.


QUESTION 93Your company has an Active Directory domain.You install an Enterprise Root certification authority (CA) on a member server named Server1. You need toensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.What should you do?

A. Remove the Request Certificates permission from the Domain Users group.B. Remove the Request Certificates permission from the Authenticated Users group.


C. Assign the Allow - Manage CA permission to only the Security Manager user account.D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager user account.


QUESTION 94You have a Windows Server 2008 R2 Enterprise Root certification authority (CA). You need to grant membersof the Account Operators group the ability to only manage Basic EFS certificates.You grant the Account Operators group the Issue and Manage Certificates permission on the CA .Which three tasks should you perform next?(Each correct answer presents part of the solution. Choose three.)

A. Enable the Restrict Enrollment Agents option on the CA .B. Enable the Restrict Certificate Managers option on the CA .C. Add the Basic EFS certificate template for the Account Operators group.D. Grant the Account Operators group the Manage CA permission on the CA .E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCESection: (none)Explanation

QUESTION 95You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an enterprise root certification authority (CA). You install the Online Responder role service onServer2. You need to configure Server1 to support the Online Responder.What should you do?

A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.


QUESTION 96Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runsan Enterprise Root certification authority (CA).You need to ensure that only administrators can sign code.Which two tasks should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Publish the code signing template.B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only administrators to apply the policy.C. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted

Publishers.D. Modify the security settings on the template to allow only administrators to request code signing certificates.

Correct Answer: ADSection: (none)

Explanation


QUESTION 97Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.The Enterprise Intermediate CA certificate expires.You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.


QUESTION 98Your company has an Active Directory domain.You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runsWindows Server 2008 R2.You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.Which three actions should you perform?

(Each correct answer presents part of the solution. Choose three.)

A. Install the AD CS server role and configure it as an Enterprise Root CA .B. Install the AD CS server role and configure it as a Standalone CA .C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.E. Create a Smartcard logon certificate.F. Create an Enrollment Agent certificate.

Correct Answer: ACESection: (none)Explanation

QUESTION 99Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.You need to create multiple password policies for users in your domain.What should you do?

A. From the Active Directory Schema snap-in, create multiple class schema objects.B. From the ADSI Edit snap-in, create multiple Password Setting objects.C. From the Security Configuration Wizard, create multiple security policies.D. From the Group Policy Management snap-in, create multiple Group Policy objects.



You need to perform an offline defragmentation of an Active Directory database. Which four actions should youperform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer areaand arrange them in the correct order.)

A.B.C.D.



QUESTION 101Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highlyavailable.What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.B. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and

Acceleration Server array.C. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.


QUESTION 102Your company has an Active Directory domain.You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprisecertification authority is running Windows Server 2008 R2. You need to ensure users are able to enroll newcertificates.What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA . Copy the CRL to the CertEnroll folder on theissuing CA ."First Test, First Pass" - www.lead2pass.com 38Microsoft 70-640 Exam

B. Renew the Certificate Revocation List (CRL) on the issuing CA . Copy the CRL to the SystemCertificatesfolder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations.

Correct Answer: A


QUESTION 103You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an Enterprise Root certification authority (CA).You install the Online Responder role service on Server2.You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.Which two tasks should you perform?

(Each correct answer presents part of the solution. Choose two.)

A. Import the enterprise root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: (none)Explanation

QUESTION 104Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hostsa standard secondary DNS zone for the domain. You need to configure DNS to allow only secure dynamicupdates.What should you do first?

A. On DC1 and DC2, configure a trust anchor.B. On DC1 and DC2, configure a connection security rule.C. On DC1, configure the zone transfer settings.D. On DC1, configure the zone to be stored in Active Directory.


QUESTION 105Your network contains a domain controller that has two network connections named Internal and Private.Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent thedomain controller from registering Host (A) records for the 10.10.10.5 IP address.What should you do?

A. Modify the netlogon.dns file on the domain controller.B. Modify the Name Server settings of the DNS zone for the domain.C. Modify the properties of the Private network connection on the domain controller.D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.


Correct Answer: CSection: (none)

Explanation

QUESTION 106Your network contains an Active Directory forest named contoso.com. You plan to add a new domain namednwtraders.com to the forest.All DNS servers are domain controllers.You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNSservers in the forest.What should you do?

A. Add the computer accounts of all the domain controllers to the DnsAdmins group.B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.C. Create a standard primary zone on a domain controller in the forest root domain.D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.


QUESTION 107Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 hosts a standard primary zone for contoso.com. You discover that non-domainmember computers register records in the contoso.com zone. You need to prevent the non-domain membercomputers from registering records in the contoso.com zone. All domain member computers must be allowedto register records in the contoso.com zone.What should you do first?

A. Configure a trust anchor.B. Run the Security Configuration Wizard (SCW).C. Change the contoso.com zone to an Active Directory-integrated zone.D. Modify the security settings of the %SystemRoot%\System32\Dns folder.


QUESTION 108Your network contains an Active Directory domain named contoso.com.You create a GlobalNames zone.You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record isserver2.contoso.com. When you ping Server1, you discover that the name fails to resolve.You successfully resolve server2.contoso.com.You need to ensure that you can resolve names by using the GlobalNames zone.What should you do?

A. From the command prompt, use the netsh tool.B. From the command prompt, use the dnscmd tool.C. From DNS Manager, modify the properties of the GlobalNames zone.D. From DNS Manager, modify the advanced settings of the DNS server.



QUESTION 109Your company has a main office and a branch office.The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com isconfigured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.You uninstall the DNS server role from RODC1.You need to prevent DNS records from replicating to RODC1.What should you do?

A. Modify the replication scope for the contoso.com zone.B. Flush the DNS cache and enable cache locking on RODC1.C. Configure conditional forwarding for the contoso.com zone.D. Modify the zone transfer settings for the contoso.com zone.


QUESTION 110Your network contains an Active Directory domain named contoso.com. The domain contains the serversshown in the following table:

Server name Operating system Role

DC1 Windows Server 2008 Domain controller

DC2 Windows Server 2008 R2 Domain controller

DNS1 Windows Server 2008 DNS server

DNS2 Windows Server 2008 R2 DNS server

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2003.DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise. You need toensure that all of the names in the contoso.com zone are secured by using DNSSEC.What should you do first?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade DNS1 to Windows Server 2008 R2.


QUESTION 111

Your network contains a domain controller that is configured as a DNS server. The server hosts an ActiveDirectory-integrated zone for the domain.You need to reduce how long it takes until stale records are deleted from the zone.What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime."First Test, First Pass" - www.lead2pass.com 41Microsoft 70-640 Exam

B. From the configuration directory partition of the forest, modify the garbage collection interval.C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.


QUESTION 112You have an Active Directory domain named contoso.com.You have a domain controller named Server1 that is configured as a DNS server. Server1 hosts a standardprimary zone for contoso.com. The DNS configuration of Server1 is shown in the exhibit.(Click the Exhibit button.)

You discover that stale resource records are not automatically removed from the contoso.com zone. You needto ensure that the stale resource records are automatically removed from the contoso.com zone.What should you do?

A. Set the scavenging period of Server1 to 0 days.B. Modify the Server Aging/Scavenging properties.C. Configure the aging properties for the contoso.com zone.D. Convert the contoso.com zone to an Active Directory-integrated zone.



QUESTION 113Your network contains an Active Directory domain named contoso.com.You remove several computers from the network.You need to ensure that the host (A) records for the removed computers are automatically deleted from thecontoso.com DNS zone.What should you do?

A. Configure dynamic updates.B. Configure aging and scavenging.C. Create a scheduled task that runs the Dnscmd /ClearCache command.D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.


QUESTION 114You need to force a domain controller to register all service location (SRV) resource records in DNS.Which command should you run?

A. ipconfig.exe /registerdnsB. net.exe stop dnscache & net.exe start dnscacheC. net.exe stop netlogon & net.exe start netlogonD. regsvr32.exe dnsrslvr.dll


QUESTION 115Your network contains an Active Directory domain named contoso.com. You plan to deploy a child domainnamed sales.contoso.com. The domain controllers in sales.contoso.com will be DNS servers forsales.contoso.com. You need to ensure that users in contoso.com can connect to servers in sales.contoso.comby using fully qualified domain names (FQDNs).What should you do?

A. Create a DNS forwarder.B. Create a DNS delegation.C. Configure root hint servers.D. Configure an alternate DNS server on all client computers.


QUESTION 116Your network contains a single Active Directory domain named contoso.com. The domain contains two domaincontrollers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone forcontoso.com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an ActiveDirectory-integrated zone and configure the zone to accept secure dynamic updates only.You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.


Which command should you run?

A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.comB. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimaryC. dnslint.exe /qlD. repadmin.exe /syncall /force


QUESTION 117Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in thefollowing Command Prompt window. You need to ensure that you can use Nslookup to list all of the servicelocation (SRV) resource records for contoso.com.What should you modify?

A. the root hints of the DNS serverB. the security settings of the zoneC. the Windows Firewall settings on the DNS serverD. the zone transfer settings of the zone


QUESTION 118Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is storedin Active Directory. All domain controllers run Windows Server 2008 R2. You need to identify if all of the DNSrecords used for Active Directory replication are correctly registered.What should you do?

A. From the command prompt, use netsh.exe.B. From the command prompt, use dnslint.exe.C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.

Correct Answer: B


QUESTION 119Your network contains a single Active Directory forest. The forest contains two domains named contoso.comand sales.contoso.com. The domain controllers are configured as shown in the following table:

Server name Domain DNS zones hosted

DC1 contoso.com contoso.com

DC2 contoso.com contoso.com

DC3 sales.contoso.com sales.contoso.com

DC4 sales.contoso.com sales.contoso.com


All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integratedzones.You need to ensure that contoso.com records are available on DC3.Which command should you run?

A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainB. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forestC. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainD. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest


QUESTION 120Your network contains an Active Directory forest. The forest contains one domain and three sites. Each sitecontains two domain controllers. All domain controllers are DNS servers.You create a new Active Directory-integrated zone.You need to ensure that the new zone is replicated to the domain controllers in only one of the sites.What should you do first?

A. Modify the NTDS Site Settings object for the site.B. Modify the replication settings of the default site link.C. Create an Active Directory connection object.D. Create an Active Directory application directory partition.


QUESTION 121You have a DNS zone that is stored in a custom application directory partition.You install a new domain controller.You need to ensure that the custom application directory partition replicates to the new domain controller.

What should you use?

A. the Active Directory Administrative Center consoleB. the Active Directory Sites and Services consoleC. the DNS Manager consoleD. the Dnscmd tool


QUESTION 122Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2008 R2. The functional level of the domain is Windows Server 2008 R2.The functional level of the forest is Windows Server 2008.You have a member server named Server1 that runs Windows Server 2008. You need to ensure that you canadd Server1 to contoso.com as a domain controller.What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccountB. dcpromo.exe /ReplicaOrNewDomain:replica


C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008DomainD. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest


QUESTION 123Your network contains an Active Directory forest. The forest contains a single domain. You want to accessresources in a domain that is located in another forest. You need to configure a trust between the domain inyour forest and the domain in the other forest.What should you create?

A. an incoming external trustB. an incoming realm trustC. an outgoing external trustD. an outgoing realm trust


QUESTION 124Your network contains two Active Directory forests. One forest contains two domains named contoso.com andna.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configuredbetween the two forests.You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to acomputer in the nwtraders.com domain by using the user name NA\User1. Other users from na.contoso.comreport that they can log on to the computers in the nwtraders.com domain.You need to ensure that User1 can log on to the computer in the nwtraders.com domain.

What should you do?

A. Enable selective authentication over the forest trust.B. Create an external one-way trust from na.contoso.com to nwtraders.com.C. Instruct User1 to log on to the computer by using his user principal name (UPN).D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.


QUESTION 125Your company has a main office and a branch office. The main office contains two domain controllers.You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branchoffice, and then add the domain controller to the BranchOfficeSite site.You discover that users in the branch office are randomly authenticated by either the domain controller in thebranch office or the domain controllers in the main office. You need to ensure that the users in the branch officealways attempt to authenticate to the domain controller in the branch office first.What should you do?

A. Create organizational units (OUs).B. Create Active Directory subnet objects.C. Modify the slow link detection threshold.


D. Modify the Location attribute of the computer objects.


QUESTION 126Your company has a main office and 50 branch offices. Each office contains multiple subnets. You need toautomate the creation of Active Directory subnet objects.What should you use?

A. the Dsadd toolB. the Netsh toolC. the New-ADObject cmdletD. the New-Object cmdlet


QUESTION 127Your network contains an Active Directory forest. The forest contains multiple sites. You need to enableuniversal group membership caching for a site.What should you do?

A. From Active Directory Sites and Services, modify the NTDS Settings.B. From Active Directory Sites and Services, modify the NTDS Site Settings.

C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the

site.


QUESTION 128You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.B. From the IP properties, select Disable site link bridging.C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection

objects.D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each

site.


QUESTION 129Your company has a main office and a branch office.You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates byusing a domain controller in the main office. You need to ensure that IPv6-only computers authenticate todomain controllers in the same site.What should you do?


A. Configure the NTDS Site Settings object.B. Create Active Directory subnet objects.C. Create Active Directory Domain Services connection objects.D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.


QUESTION 130Your network contains an Active Directory domain. The domain is configured as shown in the following table:

Active Directory site Domain controllers

Main DC1 and DC2

Branch1 DC3

Branch2 None

Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure that users in

Branch2 only authenticate to the domain controllers in Main.What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.B. On DC3, set the AutoSiteCoverage value to 1.C. On DC1 and DC2, set the AutoSiteCoverage value to 0.D. On DC1 and DC2, set the AutoSiteCoverage value to 1.


QUESTION 131Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has twodomain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.DC3 fails.You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 andthe domain controllers in Site1.On DC4, you run repadmin.exe /kcc.Replication between the sites continues to fail.You need to ensure that Active Directory data replicates between the sites.What should you do?

A. From Active Directory Sites and Services, modify the properties of DC3.B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.C. From Active Directory Users and Computers, modify the location settings of DC4.D. From Active Directory Users and Computers, modify the delegation settings of DC4.


QUESTION 132Your network contains an Active Directory domain. The functional level of the domain is Windows


Server 2003. The domain contains five domain controllers that run Windows Server 2008 and five domaincontrollers that run Windows Server 2008 R2.You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).What should you do first?


A. Run dfsrdiag.exe PollAD.B. Run dfsrmig.exe /SetGlobalState 0.C. Upgrade all domain controllers to Windows Server 2008 R2.

D. Raise the functional level of the domain to Windows Server 2008.



QUESTION 133Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.You need to ensure that Attribute1 is replicated to the global catalog.What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.B. In Active Directory Sites and Services, configure the universal group membership caching.C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.D. From the Active Directory Schema snap-in, modify the properties of the Attribute1 class schema attribute.


QUESTION 134Your network contains an Active Directory domain. The domain contains three domain controllers.One of the domain controllers fails.Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that thehelp desk can create new user accounts.Which operations master role should you seize?

A. domain naming masterB. infrastructure masterC. primary domain controller (PDC) emulatorD. RID masterE. schema master


QUESTION 135Your network contains two standalone servers named Server1 and Server2 that have Active DirectoryLightweight Directory Services (AD LDS) installed.Server1 has an AD LDS instance.You need to ensure that you can replicate the instance from Server1 to Server2.What should you do on both servers?

A. Obtain a server certificate."First Test, First Pass" - www.lead2pass.com 49Microsoft 70-640 Exam

B. Import the MS-User.ldf file.C. Create a service user account for AD LDS.

D. Register the service location (SRV) resource records.


QUESTION 136Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an ActiveDirectory Lightweight Directory Services (AD LDS) instance on Server1. You need to create an additional ADLDS application directory partition in the existing instance.Which tool should you use?

A. AdaminstallB. DsaddC. DsmodD. Ldp


QUESTION 137Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create anActive Directory Lightweight Directory Services (AD LDS) instance named Instance1.You connect to Instance1 by using ADSI Edit.You run the Create Object wizard and you discover that there is no User object class. You need to ensure thatyou can create user objects in Instance1.What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).


QUESTION 138Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2.You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.What should you do?

A. Run ldp.exe and use the Bind option.B. Run diskpart.exe and use the Attach option.C. Run dsdbutil.exe and use the snapshot option.D. Run imagex.exe and specify the /mount parameter.



QUESTION 139Your network contains a single Active Directory domain. Active Directory Rights Management Services (ADRMS) is deployed on the network.A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensurethat User1 can change the service connection point (SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1.To which group should you add User1?

A. AD RMS AuditorsB. AD RMS Service GroupC. Domain AdminsD. Schema Admins


QUESTION 140Your network contains two Active Directory forests named contoso.com and adatum.com. Active DirectoryRights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD)exists between contoso.com and adatum.com. From the AD RMS logs, you discover that some clients thathave IP addresses in the adatum.com forest are authenticating as users from contoso.com.You need to prevent users from impersonating contoso.com users.What should you do?

A. Configure trusted e-mail domains.B. Enable lockbox exclusion in AD RMS.C. Create a forest trust between adatum.com and contoso.com.D. Add a certificate from a third-party trusted certification authority (CA).


QUESTION 141Your network contains an Active Directory domain named contoso.com. The network contains client computersthat run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) isdeployed on the network. You create a new AD RMS template that is distributed by using the AD RMS pipeline.The template is updated every month.You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.You want to achieve this goal by using the minimum amount of administrative effort.What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.



QUESTION 142Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS.You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.What should you do?

A. Modify the security of the ServerCertification.asmx file.B. Modify the security of the MobileDeviceCertification.asmx file.C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.


QUESTION 143Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.An administrator changes the password of the user account that is used by AD RMS.You need to update AD RMS to use the new password.Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Component ServicesD. Services


QUESTION 144Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have severalcustom policy templates. The custom policy templates are updated frequently. Some users report that it takesas many as 30 days to receive the updated policy templates. You need to ensure that users receive theupdated custom policy templates within seven days.What should you do?

A. Modify the registry on the AD RMS servers.B. Modify the registry on the users computers.C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.


QUESTION 145Your company has a main office and a branch office. The branch office contains a read-only domain controllernamed RODC1.You need to ensure that a user named Admin1 can install updates on RODC1. The solution must preventAdmin1 from logging on to other domain controllers.What should you do?


A. Run ntdsutil.exe and use the Roles option.B. Run dsmgmt.exe and use the Local Roles option.C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.


QUESTION 146You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user namedUser1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.Which tool should you use?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. DsaddD. Dsmgmt


QUESTION 147Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1contains four domain controllers. Site2 contains a read-only domain controller (RODC).You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between Site1and Site2 fails.User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored andUser1 reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if theWAN link fails.What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.


QUESTION 148Your company has a main office and a branch office. The network contains an Active Directory domain.The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named DC2.You discover that the password of an administrator named Admin1 is cached on DC2. You need to preventAdmin1's password from being cached on DC2.What should you do?

A. Modify the NTDS Site Settings.B. Modify the properties of the domain.C. Create a Password Setting object (PSO).


D. Modify the properties of DC2's computer account.


QUESTION 149Your network contains an Active Directory domain named contoso.com. The network has a branch office sitethat contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2.A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 isnot stored on RODC1.

You need to ensure that User1's password is stored on RODC1.What should you modify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1


QUESTION 150Your company has a main office and a branch office. The branch office has an Active Directory site thatcontains a read-only domain controller (RODC).A user from the branch office reports that his account is locked out. From a writable domain controller in themain office, you discover that the user's account is not locked out.You need to ensure that the user can log on to the domain.What sould you do?

A. Modify the Password Replication Policy.B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.


QUESTION 151Your network contains a single Active Directory domain. The domain contains five read-only domain controllers(RODCs) and five writable domain controllers.All servers run Windows Server 2008.You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add thenew RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. At the command prompt, run adprep.exe /rodcprep.B. At the command prompt, run adprep.exe /forestprep.C. At the command prompt, run adprep.exe /domainprep.D. From Active Directory Domains and Trusts, raise the functional level of the domain.E. From Active Directory Users and Computers, pre-stage the RODC computer account.



QUESTION 152You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.Which inbound TCP port should you allow on Server1?

A. 88B. 135C. 443D. 445


QUESTION 153You deploy a new Active Directory Federation Services (AD FS) federation server. You request new certificatesfor the AD FS federation server. You need to ensure that the AD FS federation server can use the newcertificates. To which certificate store should you import the certificates?

A. ComputerB. IIS Admin Service service accountC. Local AdministratorD. World Wide Web Publishing Service service account


QUESTION 154

Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. Server1 has the Active Directory Federation Services (AD FS) role installed.You have an application named App1 that is configured to use Server1 for AD FS authentication. You deploy anew server named Server2. Server2 is configured as an AD FS 2.0 server. You need to ensure that App1 canuse Server2 for authentication.What should you do on Server2?

A. Add an attribute store.B. Create a relaying party trust.C. Create a claims provider trust.D. Create a relaying provider trust.


QUESTION 155Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. The Active Directory Federation Services (AD FS) role is installed on Server1.


Contoso.com is defined as an account store.A partner company has a Web-based application that uses AD FS authentication. The partner company plansto provide users from contoso.com access to the Web application. You need to configure AD FS oncontoso.com to allow contoso.com users to be authenticated by the partner company.What should you create on Server1?

A. a new applicationB. a resource partnerC. an account partnerD. an organization claim


QUESTION 156Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has the Active Directory Federation Services (AD FS) Federation Service role service installed.You plan to deploy AD FS 2.0 on Server2.You need to export the token-signing certificate from Server1, and then import the certificate to Server2.Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)C. DER encoded binary X.509 (.cer)D. Personal Information Exchange PKCS #12 (.pfx)


QUESTION 157Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm.The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQLServer.You install AD FS 2.0 on Server2.You need to add Server2 to the existing AD FS farm.What should you do?

A. On Server1, run fsconfig.exe.B. On Server1, run fsconfigwizard.exe.C. On Server2, run fsconfig.exe.D. On Server2, run fsconfigwizard.exe.


QUESTION 158Your network contains an Active Directory forest.You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in thenetwork. You create a Windows PowerShell script named new-users.ps1 that contains the


following lines:

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the script fails tocreate the user accounts. You need to ensure that the script creates the user accounts.Which cmdlet should you add to the script?

A. Import-ModuleB. Register-ObjectEventC. Set-ADDomainD. Set-ADUser


QUESTION 159Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.You need to modify the custom attribute value of 500 user accounts.Which tool should you use?

A. Csvde

B. DsmodC. DsrmD. Ldifde


QUESTION 160Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.You need to give the human resources department a file that contains the last logon time and the customattribute values for each user in the forest.Which should you use?

A. the Dsquery toolB. the Export-CSV cmdletC. the Get-ADUser cmdletD. the Net.exe user command


QUESTION 161Your company has two Active Directory forests named contoso.com and fabrikam.com. The company networkhas three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in thefollowing table.


All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. Allother computers use DNS1 as the preferred DNS server. Users from the fabrikam.com domain are unable toconnect to the servers that belong to the contoso.com domain.You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.What should you do?

A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.


QUESTION 162Your company, Contoso, Ltd., has offices in North America and Europe. Contoso has an Active Directory forestthat has three domains. You need to reduce the time required to authenticate users from thelabs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain. What should youdo?

A. Decrease the replication interval for all Connection objects.B. Decrease the replication interval for the DEFAULTIPSITELINK site link.C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.


QUESTION 163Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One ofthese GPOs publishes applications to user objects. A user reports that the application is not available forinstallation. You need to identify whether the GPO has been applied.What should you do?

A. Run the Group Policy Results utility for the user.B. Run the GPRESULT /S <system name> /Z command at the command prompt.C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.D. Run the Group Policy Results utility for the computer.


QUESTION 164Your company has a single-domain Active Directory forest. The functional level of the domain is WindowsServer 2008.You perform the following activities:Create a global distribution group.Add users to the global distribution group.Create a shared folder on a Windows Server 2008 member server. Place the global distribution group in adomain local group that has access to the shared folder. You need to ensure that the users have access to theshared folder.What should you do?


A. Add the global distribution group to the Domain Administrators group.B. Change the group type of the global distribution group to a security group.C. Change the scope of the global distribution group to a Universal distribution group.D. Raise the forest functional level to Windows Server 2008.


QUESTION 165Your company has a DNS server that has 10 Active DirectoryCintegrated zones. You need to provide copies ofthe zone files of the DNS server to the security department.What should you do?

A. Run the dnscmd /ZoneInfo command.

B. Run the ipconfig /registerdns command.C. Run the dnscmd /ZoneExport command.D. Run the ntdsutil > Partition Management > List commands.


QUESTION 166Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows 7 or Windows Vista Service Pack 2 (SP2). You need to audit user access to theadministrative shares on the client computers.What should you do?

A. Deploy a logon script that runs Icacls.exe.B. Deploy a logon script that runs Auditpol.exe.C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.


QUESTION 167Your network contains an Active Directory domain named contoso.com. You need to create a central store forthe Group Policy Administrative templates.What should you do?

A. Run dfsrmig.exe /createglobalobjects.B. Run adprep.exe /domainprep /gpprep.C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\SYSVOL\contoso.com\ Policies

folder.D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\ contoso.com

\Policies folder.


QUESTION 168You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.


You need to identify whether a specific application file is allowed to run on a computer.Which Windows PowerShell cmdlet should you use?

A. Get-AppLockerFileInformationB. Get-GPOReportC. Get-GPPermissionsD. Test-AppLockerPolicy


QUESTION 169You create a Password Settings object (PSO).You need to apply the PSO to a domain user named User1.What should you do?

A. Modify the properties of the PSO.B. Modify the account options of the User1 account.C. Modify the security settings of the User1 account.D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).


QUESTION 170You need to create a Password Settings object (PSO).Which tool should you use?

A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. Ntdsutil


QUESTION 171Your network contains an Active Directory domain. All servers run Windows Server 2008 R2. You need to auditthe deletion of registry keys on each server.What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.B. From Audit Policy, modify the System Events settings and the Privilege Use settings.C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object

Access Auditing settings.


QUESTION 172Your network contains a single Active Directory domain. The functional level of the forest is


Windows Server 2008 R2.You need to enable the Active Directory Recycle Bin.What should you use?

A. the Dsmod toolB. the Enable-ADOptionalFeature cmdletC. the Ntdsutil toolD. the Set-ADDomainMode cmdlet


QUESTION 173Your network contains a single Active Directory domain.You need to create an Active Directory Domain Services snapshot.What should you do?

A. Use the Ldp tool.B. Use the NTDSUtil tool.C. Use the Wbadmin tool.D. From Windows Server Backup, perform a full backup.


QUESTION 174Your network contains a single Active Directory domain. A domain controller named DC2 fails.You need to remove DC2 from Active Directory.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. At the command prompt, run dcdiag.exe /fix.B. At the command prompt, run netdom.exe remove dc2.C. From Active Directory Sites and Services, delete DC2.D. From Active Directory Users and Computers, delete DC2.


QUESTION 175Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server2008. All domain controllers run Windows Server 2008 R2. You need to ensure that you can enable the ActiveDirectory Recycle Bin.What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.

C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.



QUESTION 176Your network contains an Active Directory domain. The domain contains several domain controllers.All domain controllers run Windows Server 2008 R2.You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server2008 R2 default settings.What should you do?

A. Run dcgpofix.exe /target:dc.B. Run dcgpofix.exe /target:domain.C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.


QUESTION 177Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2.Site2 contains two domain controller named DC3 and DC4.The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At07:00, an administrator deletes a user account while he is logged on to DC1. You need to restore the deleteduser account. You want to achieve this goal by using the minimum amount of administrative effort.What should you do?

A. On DC1, run the Restore-ADObject cmdlet.B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory

Domain Services.D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active

Directory Domain Services.


QUESTION 178Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.You perform a full backup of the domain controllers every night by using Windows Server Backup.You update a script in the SYSVOL folder.You discover that the new script fails to run properly.

You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize theamount of time required to restore the script.What should you do first?

A. Run the Restore-ADObject cmdlet.B. Restore the system state to its original location.C. Restore the system state to an alternate location.D. Attach the VHD file created by Windows Server Backup.



QUESTION 179Your network contains an Active Directory domain.You need to restore a deleted computer account from the Active Directory Recycle Bin.What should you do?

A. From the command prompt, run recover.exe.B. From the command prompt, run ntdsutil.exe.C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.


QUESTION 180You need to back up all of the group policies in a domain.The solution must minimize the size of the backup.What should you use?

A. the Add-WBSystemState cmdletB. the Group Policy Management consoleC. the Wbadmin toolD. the Windows Server Backup feature


QUESTION 181You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2. You need to ensurethat you can recover the private key of a certificate issued to a Web server.What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.B. From the Web server, run the Get-PfxCertificate cmdlet.C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.


QUESTION 182Your company has a main office and a branch office.The network contains a single Active Directory domain. The main office contains a domain controller namedDC1.You need to install a domain controller in the branch office by using an offline copy of the Active Directorydatabase.What should you do first?

A. From the Ntdsutil tool, create an IFM media set.B. From the command prompt, run djoin.exe /loadfile.C. From Windows Server Backup, perform a system state backup.


D. From Windows PowerShell, run the get-ADDomainController cmdlet.


QUESTION 183Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. Thefunctional level of the domain is Windows Server 2003. All client computers run Windows 7.You install Windows Server 2008 R2 on a server named Server1.You need to perform an offline domain join of Server1.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. From Server1, run djoin.exe.B. From Server1, run netdom.exe.C. From a Windows 7 computer, run djoin.exe.D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.


QUESTION 184You have an Active Directory snapshot.You need to view the contents of the organizational units (OUs) in the snapshot.Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.mscB. ntdsutil.exe, dsamain.exe, and dsa.mscC. wbadmin.msc, dsamain.exe, and netdom.exeD. wbadmin.msc, ntdsutil.exe, and explorer.exe

Correct Answer: B


QUESTION 185Your network contains a domain controller that runs Windows Server 2008 R2. You run the following commandon the domain controller:

璦dsamain.exe -dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit -ldapport 389 llowNonAdminAccess

The command fails.You need to ensure that the command completes successfully.How should you modify the command?

A. Include the path to Dsamain.B. Change the value of the dbpath parameter.C. Change the value of the ldapport parameter.D. Remove the -allowNonAdminAccess parameter.



QUESTION 186Your network contains an Active Directory domain. The domain contains five domain controllers. A domaincontroller named DC1 has the DHCP role and the file server role installed. You need to move the ActiveDirectory database on DC1 to an alternate location. The solution must minimize impact on the network duringthe database move.

What should you do first?

A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.


QUESTION 187Your company has a main office and a branch office.The network contains an Active Directory forest. The forest contains three domains. The branch office containsone domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a fileserver.You remove the global catalog from DC5.You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impacton all users in the branch office.What should you do first?

A. Start DC5 in Safe Mode.

B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.


QUESTION 188Your network contains a domain controller that runs Windows Server 2008 R2. You need to change the locationof the Active Directory log files.Which tool should you use?

A. DsamainB. DsmgmtC. DsmoveD. Ntdsutil


QUESTION 189Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.You deploy a new server that runs Windows Server 2008 R2.The server is not connected to the internal network.You need to ensure that the new server is already joined to the domain when it first connects to the internalnetwork.


What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, runsysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server,run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server,run djoin.exe and specify the /provision parameter.


QUESTION 190Your network contains an Active Directory domain. The domain contains four domain controllers.You modify the Active Directory schema.You need to verify that all the domain controllers received the schema modification.Which command should you run?

A. dcdiag.exe /aB. netdom.exe query fsmoC. repadmin.exe /showrepl *D. sc.exe query ntds


QUESTION 191You remotely monitor several domain controllers.You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query to retrieveinformation from the bios of each domain controller.Which format should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML


QUESTION 192Your network contains an Active Directory domain named contoso.com. The domain contains five domaincontrollers.You add a logoff script to an existing Group Policy object (GPO). You need to verify that each domain controllersuccessfully replicates the updated group policy. Which two objects should you verify on each domaincontroller? (Each correct answer presents part of the solution. Choose two.)

A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.polC. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container "First

Test, First Pass" - www.lead2pass.com 66Microsoft 70-640 Exam

D. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container


QUESTION 193Your network contains an Active Directory domain that contains five domain controllers. You have amanagement computer that runs Windows 7.From the Windows 7 computer, you need to view all account logon failures that occur in the domain.The information must be consolidated on one list.Which command should you run on each domain controller?

A. Wecutil.exe qcB. Wevtutil.exe gliC. Winrm.exe quickconfig

D. Winrshost.exe


QUESTION 194You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. Thedomain contains five domain controllers.You need to monitor the replication of the group policy template files.Which tool should you use?

A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


QUESTION 195You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. Thedomain contains five domain controllers that run Windows Server 2008 R2. You need to monitor the replicationof the group policy template files.Which tool should you use?

A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


QUESTION 196You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine thesize of the Active Directory database on Server1.What should you do?


A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.


QUESTION 197You need to receive an e-mail message whenever a domain user account is locked out.Which tool should you use?

A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard


QUESTION 198Your network contains an Active Directory domain named contoso.com. You have a management computernamed Computer1 that runs Windows 7. You need to forward the logon events of all the domain controllers incontoso.com to Computer1. All new domain controllers must be dynamically added to the subscription.What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate onComputer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).


QUESTION 199Your network contains an Active Directory domain that has two sites. You need to identify whether logon scriptsare replicated to all domain controllers.Which folder should you verify?

A. GroupPolicyB. NTDSC. SoftwareDistributionD. SYSVOL



Your company has four offices.The network contains a single Active Directory domain.

Each office has a domain controller. Each office has an organitational unit (OU) that contains the user accountsfor the users in that office.In each office, support technicians perform basic troubleshooting for the users in their respective office.You need to ensure that the support technicians can reset the password for the user accounts in theirrespective office only. The solution must prevent the technicians from creating user accounts.What should you do?

A. Four each OU, run the Delegation of Control Wizard.B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security setting for each group.D. For each office, create an Active Directory group, and then modify the ControlAccessRights attribute for

each group.


QUESTION 201You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.What should you do?

A. Run defrag.exe /a /c.B. Run defrag.exe /c /u.C. Form Ntdsutil, use the Files option.D. From Ntdsutil, use the Metadata cleanup option.


QUESTION 202Your network contains an Active Directory domain named contoso.com. Contoso.com contains a domaincontroller named DC1 and a read-only domain controller (RODC) named RODC1. You need to view the mostrecent user accounts authenticated by RODC1.What should you do first?

A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.


QUESTION 203Your network contains an Active Directory domain. The domain contains 3,000 client computers.All of the client computers run Windows 7.Users log on to their client computers by using standard user accounts.


You plan to deploy a new application named App1.The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run.You need to deploy App1 to all client computers. The solution must meet the following requirements:

- App1 must automatically detect and replace corrupt application files.- App1 must be available from the Start menu on each client computer.


A. Create a logon script that calls Setup.exe for App1.B. Create a .zap file.C. Create a startup script that calls Setup.exe for App1.D. Repackage App1 as a Windows Installer package.


QUESTION 204Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sitesnamed Site1 and Site2. Site1 contains a domain controller named DC1. In Site1, you install a new domaincontroller named DC2. You ship DC2 to Site2. You discover that certain users in Site2 authenticate to DC1.You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.What should you do?

A. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.B. From Active Directory Sites and Services, modify the Location attribute for Site2.C. From Active Directory Sites and Services, move the DC2 server object.D. From Active Directory Users and Computers, move the DC2 computer object.


QUESTION 205Your network contains an Active Directory domain named contoso.com. Contoso.com contains a server namedServer2. You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.)


When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discoverthat the enterprise subordinate CA option is unavailable. You need to configure Server2 as an enterprisesubordinate CA.What should you do first?

A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.C. Import the root CA certificate.D. Join Server2 to the domain.


QUESTION 206Your network contains an Active Directory domain. The domain contains an enterprise certification authority(CA).You need to ensure that only members of a group named Admin1 can create certificate templates.Which tool should you use to assign permissions to Admin1?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services



QUESTION 207You have a Windows PowerShell script that contains the following code:

import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword$_.password}

When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.You need to run a script that successfully creates the user accounts by using the password contained inaccounts.csv.Which script should you run?

?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)} ?

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)} ?

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(Read-Host -AsSecureString "Password")}?

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(Read-Host -AsSecureString $_.Password)}


QUESTION 208Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.Your company's corporate security policy states that the password for each user account must be changed atleast every 45 days.You have a user account named Service1. Service1 is used by a network application named Application1.Every 45 days, Application1 fails.After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causesApplication1 to fail. The solution must adhere to the corporate security policy.What should you do?

A. Run the Set-ADAccountControl cmdlet.B. Run the Set-ADServiceAccount cmdlet.C. Create a new password policy.D. Create a new Password Settings object (PSO).


QUESTION 209Your network contains an Active Directory forest.You add an additional user principal name (UPN) suffix to the forest.You need to modify the UPN suffix of all users.You want to achieve this goal by using the minimum amount of administrative effort.What should you use?

A. the Active Directory Domains and Trusts console"First Test, First Pass" - www.lead2pass.com 72Microsoft 70-640 Exam

B. the Active Directory Users and Computers consoleC. the Csvde toolD. the Ldifde tool


QUESTION 210Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2(SP2).You need to prevent all users from running an application named App1.exe.Which Group Policy settings should you configure?

A. Application CompatibilityB. AppLockerC. Software InstallationD. Software Restriction Policies


QUESTION 211Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You need to ensure that all clientcomputers can apply Group Policy preferences.What should you do?

A. Upgrade all Windows XP client computers to Windows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).


QUESTION 212Your company has file servers located in an organizational unit named Payroll. The file servers contain payrollfiles located in a folder named Payroll.You create a GPO. You need to track which employees access the Payroll files on the file servers.What should you do?

A. Enable the Audit object access option. Link the GPO to the Payroll organizational unit.On the file servers, configure Auditing for the Everyone group in the Payroll folder.

B. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configureAuditing for the Authenticated Users group in the Payroll folder.

C. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit.On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

D. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit.On the file servers, configure Auditing for the Everyone group in the Payroll folder.



QUESTION 213Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.The Audit account management policy setting and Audit directory services access setting are enabled for theentire domain.You need to ensure that changes made to Active Directory objects can be logged. The logged changes mustinclude the old and new values of any attributes.What should you do?

A. Enable the Audit account management policy in the Default Domain Controller Policy.B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.C. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.D. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable

directory service changes.


QUESTION 214Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.Auditing is configured to log changes made to the Managed By attribute on group objects in an organizationalunit named OU1.You need to log changes made to the Description attribute on all group objects in OU1 only.What should you do?

A. Run auditpol.exe.B. Modify the auditing entry for OU1.C. Modify the auditing entry for the domain.D. Create a new Group Policy object (GPO). Enable the Audit account management policy setting.

Link the GPO to OU1.


QUESTION 215

You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature isinstalled on the domain controller.You need to perform a non-authoritative restore of the domain controller by using an existing backup file.What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to performa critical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-into perform a critical volume restore.

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a criticalvolume restore.

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volumerestore.



QUESTION 216Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains anOU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups. An administratordeletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the SalesOU.What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform an authoritative restore of the Groups OU.C. Perform a non-authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Sales OU.


QUESTION 217Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. Theserver is a backup server. The server has a single 500-GB hard disk that has three partitions for the operatingsystem, applications, and data.You perform daily backups of the server.The hard disk fails.You replace the hard disk with a new hard disk of the same capacity. You restart the computer on theinstallation media. You select the Repair your computer option.You need to restore the operating system and all files.What should you do?

A. Select the System Image Recovery option.B. Run the Imagex utility at the command prompt.C. Run the Wbadmin utility at the command prompt.D. Run the Rollback utility at the command prompt.

Correct Answer: C


QUESTION 218Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers. The domain controllers are configured as show in the following table.--------------------------------------------------------------------------------------------------------------------------------- ServerServer IP Address Server site--------------------------------------------------------------------------------------------------------------------------------- DC110.1.1.1/16 Default-First-Site-Name

DC2 10.1.1.2/16 Default-First-Site-Name--------------------------------------------------------------------------------------------------------------------------------- All clientcomputers have IP addresses in the 10.1.2.1 to 10.1.2.240 You need to minimize the number of clientauthentication requests send to DC2.What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign thesubnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign thesubnet to Site1. Move DC1 to Site1.

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign thesubnet to Site1. Move DC2 to Site1."First Test, First Pass" - www.lead2pass.com 75Microsoft 70-640 Exam

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign thesubnet to Site1. Move DC2 to Site1.


QUESTION 219Your network contains an Active Directory forest. The forest contains multiple domains. You need to ensurethat users in the human resources department can search for employees by using the employeeNumberattribute.What should you do?

A. From Active Directory Sites and Services, modify the properties of each global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the user object class.C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.


QUESTION 220Your network contains a single Active Directory domain. The domain contains an enterprise certificationauthority (CA).You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database.You modify the e-mail certificate template to support key archival.What should you do next?

A. Issue the key recovery agent certificate template.B. Run certutil.exe -recoverkey.C. Run certreq.exe-policy.D. Modify the location of the Authority Information Access (AIA) distribution point.


QUESTION 221Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that thezone includes DNS records for computers that were removed from the network. You need to ensure that theDNS records are deleted automatically from the zone. What should you do?

A. From DNS Manager, set the aging properties.B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.D. Create a scheduled task that runs ipconfig.exe /flushdns.


QUESTION 222Your network contains a domain controller that runs Windows Server 2008 R2.You run the following command on the domain controller:


dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -allowNonAdminAccess

The command fails. You need to ensure that the command completes successfully.How should you modify the command?

A. Change the value of the -dbpath parameter.B. Include the path to Dsamain.C. Change the value of the -ldapport parameter.D. Remove the CallowNonAdminAccess parameter.


QUESTION 223Your network contains an Active Directory domain. The domain contains 10 domain controllers that runWindows Server 2008 R2.You need to monitor the following information on the domain controllers during the next five days:

- Memory usage- Processor usage- The number of LDAP queries

What should you do?

A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.B. Use the System Performance Data Collector Set (DCS).C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.D. Use the Active Directory Diagnostics Data Collector Set (DCS).


QUESTION 224Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zonefor contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.comThe DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.) You need toensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.comWhich two actions should you perform? (Each correct answers presents part of the solution.Choose two.)


A. Create a zone delegation record in the contoso.com zoneB. Create a zone delegation record in the eu.contoso.com zoneC. Create an Active Directory-integrated zone for _msdsc.contoso.comD. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com


QUESTION 225Your network contains an Active Directory forest. The forest contains two domain controllers. The domaincontrollers are configured as shown in the following table.

Server name Server configuration--------------------------------------------------------------------------------------------------------------------------- Global catalogserverDC1 Schema masterDomain naming master------------------------------------------------------------------------------------------------------------------------- Primary domaincontroller (PDC) emulatorDC2 RID masterInfrastructure master--------------------------------------------------------------------------------------------------------------------------

All client computers run Windows 7.You need to ensure that all client computers in the domain keep the same time as an external time server.What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.



QUESTION 226Your network contains three Active Directory forest named Forest1, Forest2, and Forest3. Each forest containsthree domains.A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.You need to configure the forest to meet the following requirements

Users in Forest3 must be able to access resources in Forest1.

Users in Forest1 must be able to access resources in Forest3.

The number of trusts must be minimized.

What should you do?

A. In Forest2, modify the name suffix routing settings.B. In Forest1 and Forest3, configure selective authentication.C. In Forest1 and Forest3, modify the name suffix routing settings.D. Create a two-way forest trust between Forest1 and Forest3.E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.


QUESTION 227Your network contains a single Active Directory domain named contoso.com. An administrator accidentallydeletes the _msdsc.contoso.com zone.You recreate the _msdsc.contoso.com zone.You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.What should you do on each domain controller?

A. Restart the Netlogon service.B. Restart the DNS Server service.C. Run dcdiag.exe /fix.D. Run ipconfig.exe /registerdns.


QUESTION 228Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configureAD RMS to use Kerberos authentication. Which two actions should you perform? (Each correct answerpresents part of the solution.Choose two.)

A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.



QUESTION 229Your network contains an Active Directory forest. The forest contains an Acitve Directory site for a remoteoffice. The remote site contains a read-only domain controller (RODC). You need to configure the RODC tostore only the password of users in the remote site.What should you do?

A. Create a Paasword Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the users accounts of the remote site users to the Allowed RODC Password Replication Group.D. Add the users accounts of users who are not in the remote site to the Denied RODC Password Replication

Group.


QUESTION 230Your network contains an Active Directory domain. All domain controller run Windows Server 2003.You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise thefunctional level of the domain to Windows Server 2008 R2. You need to minimize the amount of SYSVOLreplication traffic on the network.What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.


QUESTION 231Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Managements Services (AD RMS) is deployed in each forest. You need to ensure that users from thenwtraders.com forest can access AD RMS protected content in the contoso.com forestWhat should you do?

A. Create an external trust from contoso.com to nwtraders.com.B. Create an external trust from nwtraders.com to contoso.comC. Add a trusted user domain to the AD RMS cluster in the contoso.com domainD. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.


QUESTION 232You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC)What should you do?

A. From Active Directory Users and Computers, modify the properties of the RODC computer object "FirstTest, First Pass" - www.lead2pass.com 80Microsoft 70-640 Exam

B. Run the repadmin.exe command an specify the /prp parameterC. Run the dsrm.exe command and specify the -u parameterD. From Active Directory Sites an Services, modify the properties of the RODC computer object


QUESTION 233Your network contains an Active Directory domain.You need to back up all of the Group Policy objects (GPOs) Group Policy permissions, and Group Policy linksfor the domain.

What should you do?

A. From Windows PowerShell, run the Backup-GPO cmdlet.B. From Windows Server Backup, perform a system state backupC. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.D. From Group Policy Management Console (GPMC), back up the GPOs


QUESTION 234Your network contains an Active Directory forest. The forest contains one domain. The domain contains twodomain controllers named DC1 and DC2 that run Windows Server 2008 R2.DC1 was installed before DC2.DC1 failsYou need to ensure that you can add 1,000 new user accounts to the domain.What should you do?

A. Seize the schema master FSMO role.B. Configure DC2 as a global catalog server.C. Seize the RID master FSMO roleD. Modify the permissions of the DC2 computer account


QUESTION 235Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sitesnamed Site1 and Site2. Site1 contains a domain controller named DC1. In Site1 , you install a new domaincontroller named DC2. You ship DC2 to Site2. You discover that certain users in Site2 authenticate to DC1.You need to ensure that the users in Site2 always attemp to authentcate to DC2 first.What should you do?

A. From Active Dirctory Sites and Services, move the DC2 server object.B. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.C. From Active Directory Sites and Services, modify the Location attribute for Site2.D. From Active Directory Users and Computers, move the DC2 computer object.



QUESTION 236Your company has a main office and four branch offices.An Active Directory site exists for each office. Each site contains one domain controller. Each branch office sitehas a site link to the main office site. You discover that the domain controllers in the branch offices sometimesreplicate directly to each other.You need to ensure that domain controllers in the branch offices only replicate to the domain controller in the

main office.What should you do?

A. Disable the Knowledge Consistency Checker (KCC) for each branch office site.B. Modify the firewall settings for the main office siteC. Modify the security settings for the main office siteD. Disable site link bridging


QUESTION 237Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack3 (SPP? or Windows 7. All of the computer accounts for the client computers are located in an organizationalunit (OU) named OU1.You link a new Group Policy object (GPO) named GPO10 to OU1. You need to ensure that GPO10 is appliedonly to client computers that run Windows 7.What should you do?

A. Enable block inheritance on OU1.B. Create a new OU in OU1. Move the Windows Xp computer accounts to the new OUC. Modify the permissions of OU1.D. Create a WMI filter and assign the filter to GPO10


QUESTION 238Your network contains an Active Directory forest. All client computers run Windows 7. The network contains ahigh-volume enterprise certification authority(CA). You need to minimize the amount of network bandwidthrequired to validate a certificate.What should you do?

A. Configure an Online Certification Status Protocol (OSCP) responderB. Configure an LDAP publishing point for the certificate revocation list (CRL).C. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS)D. Modify the settings of the delta certificate revocation list (CRL)


QUESTION 239Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard.You need to create an enterprise subordinate certification authority (CA) that can issue certificates based onversion 3 certificate templates.You must achieve this goal by using the minimun amount of administrative effort.



A. Upgrade the member server to Windows Server 2008 R2 Enterprise.B. Disjoin the member server from the domain.C. Run certutil.exe -addenrollmentserver.D. Install the Active Directory Certificate Services (AD CS) role on the member server.


QUESTION 240Your Network contains an Active Directory domain. You create and mount an Active Directory snapshot.You run the following command on the domain controller :

dsamain.exe -dbpath C:\Windows\NTDS\ntds.dit -ldapport 54321 ?allowNonAdminAccess

and the command fails as shown in the exhibit. ( Click the Exhibit button ). You need to ensure that you canbrowse the contents of Active Directory snapshot. What should you do ?

A. Change the value of the ldapport parameter, and then rerun dsamain.exe .

B. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe ."First Test, First Pass" - www.lead2pass.com 83Microsoft 70-640 Exam

C. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe .D. Change the value of the dbpath parameter, and then rerun dsamain.exe .


QUESTION 241Your network contains an Active Directory domain named contoso.com.You need to audit changes to a service account .Which security policy setting should you configure ?

A. Audit Sensitive Privilege Use .B. Audit Directory Service Changes .C. Audit User Account Management .D. Audit Other Account Management Events .


QUESTION 242Your network contains an Active Directory domain named contoso.com.The Adminisrator deletes an OU named OU1 accidentally.You need to restore OU1. Which cmdlet should you use ?

A. Set-ADObject cmdletB. Set-ADOrganizationalUnit cmdletC. Set-ADUser cmdletD. Set-ADGroup cmdlet


QUESTION 243Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance,HR, Marketing, Sales and Dev.You link a Group Policy object named GPO1 to the domain as shown in the exhibit. You need to ensure thatGPO1 is applied to users in Finance, HR, Marketing and Sales OUs. The solution must prevent GPO1 frombeing applied to users in the Dev OU. What should you do?


A. Link GPO1 to the Finance OU.B. Modify the security settings of the Finance OU.C. Enforce GPO1.D. Modify the security settings of the Dev OU


QUESTION 244Your network contains an Active Directory domain. All DNS servers are domain controllers. You view theproperties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)


You need to ensure that only domain members can register DNS records in the zone. What should you do first?

A. Modify the zone type.B. Create a trust anchor.C. Modify the Advanced properties of the DNS server.D. Modify the Dynamic updates setting.


QUESTION 245Your company has a single Active Directory forest with a single domain. Consultants in different departments ofthe company require access to different network resources. The consultants belong to a global group namedTempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The fileservers contain confidential data in shared folders. You need to prevent the consultants from accessing theconfidential data.

What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.Assign the Deny access to this computer from the network user right to the TempWorkers global group.

B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computerfrom the network user right to the TempWorkers global group.

C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full controlpermission for the TempWorkers global group on the share."First Test, First Pass" - www.lead2pass.com 86

Microsoft 70-640 ExamD. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right

to the TempWorkers global group.E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.

Assign the Deny log on locally user right to the TempWorkers global group.


QUESTION 246Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functionallevel of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains twodomains. You need to ensure that users in contoso.com can access the resources in all domains. The solutionmust require the minimum number of trusts.Which type of trust should you create?

A. externalB. forestC. realmD. shortcut


QUESTION 247You install an Active Directory domain in a test environment. You need to reset the passwords of all the useraccounts in the domain from a domain controller. Which two Windows PowerShell commands should you run?(Each correct answer presents part of the solution, choose two.)

A. $ newPassword = *B. Import-Module ActiveDirectoryC. Import-Module WebAdministrationD. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - ResetE. Set- ADAccountPossword - NewPassword - ResetF. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )G. Import-Module ServerManager

Correct Answer: DFSection: (none)Explanation

QUESTION 248Your network contains two forests named adatum.com and litwareinc.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create aforest trust between adatum.com and litwareinc.com.What should you do first?

A. Create an external trust.B. Raise the functional level of both forests.C. Configure SID filtering.

D. Raise the functional level of all the domains.



QUESTION 249Your network contains an Active Directory forest named adatum.com. All client computers used by themarketing department are in an organizational unit (OU) named Marketing Computers. All user accounts for themarketing department are in an OU named Marketing Users.You purchase a new application.You need to ensure that every user in the domain who logs on to a marketing department computer can use theapplication. The application must only be available from the marketing department computers.What should you do?

A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to ashared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a shared folder on the network. Assign the application.

C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a local drive on each marketing department computer. Publish the application.

D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to afolder on each marketing department computer. Publish the application.


QUESTION 250Your network contains an Active Directory forest named adatum.com. You need to create an Active DirectoryRights Management Services (AD RMS) licensing-only cluster.What should you install before you create the AD RMS root cluster?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008

Correct Answer: ESection: (none)Explanation

QUESTION 251Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains adomain controller named DC1.You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource recordnamed Server1 to the zone. The target host of the record is server2.contoso.com. When you ping Server1, youdiscover that the name fails to resolve. You are able to successfully ping server2.contoso.com.You need to ensure that you can resolve names by using the GlobalNames zone.Which command should you run?

A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domainB. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forestC. DnscmdDCl.contoso.com/config/Enableglobalnamessupport 1D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest "First Test, First Pass" -

www.lead2pass.com 88Microsoft 70-640 Exam


QUESTION 252Your network contains an Active Directory domain named contoso.com. The network has a branch office sitethat contains a read-only domain controller (RODC) named R0DC1. R0DC1 runs Windows Server 2008 R2. Auser logs on to a computer in the branch office site.You discover that the user's password is not stored on R0DC1. You need to ensure that the user's password isstored on RODC1 when he logs on to a branch office site computer.What should you do?

A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC PasswordReplication Group.

B. Modify the RODC's password replication policy by adding R0DC1's computer account to the list of allowedusers, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on R0DC1.D. Add R0DC1's computer account to the built-in Allowed RODC Password Replication Group on R0DC1.


QUESTION 253You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.Which protocol should you allow on Server1?

A. KerberosB. SSLC. SMBD. RPC


QUESTION 254Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard.You need to create an enterprise subordinate certification authority (CA) that can issue certificates based onversion 3 certificate templates.You must achieve this goal by using the minimum amount of administrative effort.What should you do first?

A. Run the certutil.exe - addenrollmentserver command.B. Install the Active Directory Certificate Services (AD CS) role on the member server.C. Upgrade the member server to Windows Server 2008 R2 Enterprise.D. Run the certutil.exe - installdefaulttemplates command.



QUESTION 255Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1. An administrator changes the password of the user account that is used byAD RMS.You need to update AD RMS to use the new password.Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Local Users and GroupsD. Services


QUESTION 256Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. Thead.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 isconfigured as a DNS server for the ad.contoso.com DNS zone.This zone is configured as a standard primary zone.You install a new domain controller named DC2 in the branch office.You install DNS on DC2.You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WANlink fails.What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.B. Create a new stub zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.


QUESTION 257Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File

System (EFS) certificates.You need to archive the private key for all new EFS certificates.Which snap-in should you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Group Policy ManagementD. Enterprise PKIE. Security TemplatesF. TPM ManagementG. CertificatesH. Certification AuthorityI. Certificate Templates


Correct Answer: HSection: (none)Explanation

QUESTION 258HOTSPOTYour network contains an Active Directory domain named contoso.com. You need to ensure that IP addressescan be resolved to fully qualified domain names (FQDNs).Under which node in the DNS snap-in should you add a zone?To answer, select the appropriate node in the answer area.

A.B.C.D.



QUESTION 259HOTSPOTYour network contains an Active Directory forest.The DNS infrastructure fails.You rebuild the DNS infrastructure.You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which serviceshould you restart on the domain controllers? To answer, select the appropriate service in the answer area.


A.B.C.D.



QUESTION 260HOTSPOT


Your network contains an Active Directory forest named contoso.com. The password policy of the forestrequires that the passwords for all of the user accounts be changed every 30 days.You need to create user accounts that will be used by services. The passwords for these accounts must bechanged automatically every 30 days.Which tool should you use to create these accounts?To answer, select the appropriate tool in the answer area.

A.B.C.D.



QUESTION 261HOTSPOTYou need to modify the Password Replication Policy on a read-only domain controller (RODC).


Which tool should you use?To answer, select the appropriate tool in the answer area.

A.B.C.D.



QUESTION 262Drag and Drop Question

Your network contains an Active Directory forest named adatum.com. The forest contains four child domainsnamed europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum.com.You need to create four new groups in the forest root domain. The groups must be configured as shown in thefollowing table.


What should you do?To answer, drag the appropriate group type to the correct group name in the answer area.

A.B.C.D.



QUESTION 263HOTSPOTYour network contains an Active Directory domain.You need to create a new site link between two sites named Site1 and Site3. The site link must support thereplication of domain objects.Under which node in Active Directory Sites and Services should you create the site link? To answer, select theappropriate node in the answer area

A.B.C.D.



QUESTION 264Drag and Drop QuestionYour network contains an Active Directory forest named contoso.com. The forest contains a domain controllernamed DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runsWindows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7. Computer1is not connected to the network. You need to join Computer1 to the contoso.com domain.What should you do?To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

A.B.C.D.



QUESTION 265HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named Server1. Server1 has an IP address of 192.168.200.100.You need to view the Pointer (PTR) record for Server1.Which zone should you open in the DNS snap-in to view the record? To answer, select the appropriate zone inthe answer area.

A.B.C.D.

Correct Answer: Section: (none)

Explanation


QUESTION 266Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You need to ensure that all of the members of a group named Group1 can view the event log entries forCertificate Services.Which snap-in should you use?

A. Certificate TemplatesB. Certification AuthorityC. Authorization ManagerD. Active Directory Users and ComputersE. TPM ManagementF. Security TemplatesG. Group Policy ManagementH. Enterprise PKII. Certificates


QUESTION 267Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificatetemplateWhich snap-in should you use?

A. Enterprise PKIB. TPM ManagementC. CertificatesD. Active Directory Users and ComputersE. Authorization Manager

F. Certification AuthorityG. Group Policy ManagementH. Security Templates


I. Certificate Templates

Correct Answer: ISection: (none)Explanation

QUESTION 268Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You have a custom certificate template named Template 1. Template1 is published to the CA. You need toensure that all of the members of a group named Group1 can enroll for certificates that use Template1.Which snap-in should you use?

A. Security TemplatesB. Enterprise PKIC. Certification AuthorityD. Certificate TemplatesE. CertificatesF. TPM ManagementG. Authorization ManagerH. Group Policy ManagementI. Active Directory Users and Computers


QUESTION 269Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You need to approve a pending certificate request.Which snap-in should you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Certification AuthorityD. Group Policy ManagementE. Certificate TemplatesF. TPM ManagementG. CertificatesH. Enterprise PKII. Security Templates


QUESTION 270

Your network contains an Active Directory domain named adatum.com. You need to ensure that IP addressescan be resolved to fully qualified domain names (FQDNs).Under which node in the DNS snap-in should you add a zone?

A. Reverse Lookup ZonesB. adatum.comC. Forward Lookup Zones


D. Conditional ForwardersE. _msdcs.adatum.com


QUESTION 271Your network contains an Active Directory domain named adatum.com. The domain contains a domaincontroller named DC1. DC1 has an IP address of 192.168.200.100. You need to identify the zone that containsthe Pointer (PTR) record for 0C1.Which zone should you identify?

A. adatum.comB. _msdcs.adatum.comC. 100.168.192.in-addr.arpaD. 200.168.192.in-addr.arpa


QUESTION 272Your network contains an Active Directory forest named adatum.com.The DNS infrastructure fails.You rebuild the DNS infrastructure.You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which serviceshould you restart on the domain controllers?

A. NetlogonB. DNS ServerC. Network Location AwarenessD. Network Store Interface ServiceE. Online Responder Service


QUESTION 273Your network contains an Active Directory domain named adatum.com. The password policy of the domainrequires that the passwords for all user accounts be changed every 50 days.You need to create several user accounts that will be used by services. The passwords for these accountsmust be changed automatically every 50 days.

Which tool should you use to create the accounts?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. Active Directory Module for Windows PowerShellD. ADSI EditE. Active Directory Domains and Trusts



QUESTION 274Your network contains an Active Directory domain. The domain contains several domain controllers. You needto modify the Password Replication Policy on a read-only domain controller (RODC).Which tool should you use?

A. Group Policy ManagementB. Active Directory Domains and TrustsC. Active Directory Users and ComputersD. Computer ManagementE. Security Configuration Wizard


QUESTION 275Your network contains an Active Directory forest. The forest contains domain controllers that run WindowsServer 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain isWindows Server 2008.From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).What should you do first?

A. Raise the functional level of the forestB. Modify the tombstone lifetime of the forest.C. Restore the system state.D. Raise the functional level of the domain.


QUESTION 276Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.You need to ensure that Attribute1 is included in the global catalog.What should you do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User

objects.C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the

forest.


QUESTION 277Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the ActiveDirectory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances namedInstance1 and Instance2.


You need to remove Instance2 from Server1 without affecting Instance1.Which tool should you use?

A. NTDSUtilB. DsdbutilC. Programs and Features in the Control PanelD. Server Manager


QUESTION 278Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to compact the Active Directory database.What should you do?

A. Run the Get-ADForest cmdlet.B. Configure subscriptions from Event Viewer.C. Run the eventcreate.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (OCS).E. Create a Data Collector Set (DCS).F. Run the repadmin.exe command.G. Run the ntdsutil.exe command.H. Run the dsquery.exe command.I. Run the dsamain.exe command.J. Create custom views from Event Viewer.

Correct Answer: GSection: (none)Explanation

QUESTION 279

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to collect all of the Directory Services events from all of the domain controllers and store the events ina single central computer.What should you do?

A. Run the ntdsutil.exe command.B. Run the repodmin.exe command.C. Run the Get-ADForest cmdlet.D. Run the dsamain.exe command.E. Create custom views from Event Viewer.F. Run the dsquery.exe command.G. Configure the Active Directory Diagnostics Data Collector Set (DCS),H. Configure subscriptions from Event Viewer.I. Run the eventcreate.exe command.J. Create a Data Collector Set (DCS).



QUESTION 280Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to receive a notification when more than 100 Active Directory objects are deleted per second.What should you do?

A. Create custom views from Event Viewer.B. Run the Get-ADForest cmdlet.C. Run the ntdsutil.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (DCS).E. Create a Data Collector Set (DCS).F. Run the dsamain.exe command.G. Run the dsquery.exe command.H. Run the repadmin.exe command.I. Configure subscriptions from Event Viewer.J. Run the eventcreate.exe command.

Correct Answer: ESection: (none)Explanation

QUESTION 281Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to create a snapshot of Active Directory.What should you do?

A. Run the dsquery.exe command.B. Run the dsamain.exe command.C. Create custom views from Event Viewer.

D. Configure subscriptions from Event Viewer.E. Create a Data Collector Set (DCS).F. Configure the Active Directory Diagnostics Data Collector Set (DCS).G. Run the repadmin.exe command.H. Run the ntdsutil.exe command.I. Run the Get-ADForest cmdlet.J. Run the eventcreate.exe command.


QUESTION 282Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.You mount an Active Directory snapshot.You need to ensure that you can query the snapshot by using LDAP.What should you do?

A. Run the dsamain.exe command.B. Create custom views from Event Viewer.C. Run the ntdsutil.exe command.D. Configure subscriptions from Event Viewer.


E. Run the Get-ADForest cmdlet.F. Create a Data Collector Set (DCS).G. Run the eventcreate.exe command.H. Configure the Active Directory Diagnostics Data Collector Set (DCS).I. Run the repadmin.exe command.J. Run the dsquery.exe command.


QUESTION 283Drag and Drop QuestionYour network contains an Active Directory domain named adatum.com. You need to use Group Policies todeploy the line-of-business applications shown in the following table.

What should you do?To answer, drag the appropriate deployment method to the correct application in the answer area.

A.B.C.D.



QUESTION 284HOTSPOTYour network contains an Active Directory forest named contoso.com. All client computers run Windows 7Enterprise.You need automatically to create a local group named PowerManagers on each client computer that contains abattery. The solution must minimize the amount of administrative effort. Which node in Group PolicyManagement Editor should you use? To answer, select the appropriate node in the answer area.

A.B.C.D.




QUESTION 285Drag and Drop QuestionYour network contains two forests named contoso.com and fabrikam.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create atrust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com can onlyaccess the servers in fabrikam.com that have the Allowed to Authenticate permission set.What should you do?To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

A.B.C.D.



QUESTION 286Drag and Drop QuestionYour network contains an Active Directory forest named contoso.com. You need to create an Active DirectoryRights Management Services (AD RMS) licensing-only cluster.What should you do?To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

A.B.C.D.



QUESTION 287Drag and Drop QuestionYour company has a main office and a branch office. All servers are located in the main office. The networkcontains an Active Directory forest named adatum.com. The forest contains a domain controller namedMainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runsWindows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs Windows 7.Public_Computer is not connected to the network.You need to join Public_Computer to the adatum.com domain.What should you do?To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

A.B.C.D.



QUESTION 288Your network contains an Active Directory domain.You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy linksfor the domain.What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Backup-GPO cmdlet.


QUESTION 289Your network contains an Active Directory domain. The relevant servers in the domain are configured as shownin the following table:

Server name Operating System Server role

Server1 Windows 2008 Domain controller

Server2 Windows 2008 R2 Enterprise root certification authority (CA)

Server3 Windows 2008 R2 Network Device Enrollment Service (NDES)

You need to ensure that all device certificate requests use the MD5 hash algorithm.What should you do?

A. On Server2, run the Certutil tool.

B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm\

HashAlgorithm registry key.



QUESTION 290Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the DirectoryServices Restore Mode (DSRM) password on the domain controller. Which tool should you use?

A. NtdsutilB. DsamainC. Active Directory Users and ComputersD. Local Users and Groups


QUESTION 291Your network contains an Active Directory domain.You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise rootcertification authority (CA).You have a client computer named Computer1 that runs Windows 7. You enable automatic certificateenrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computerscan automatically enroll for certificates.Which command should you run on Computer1?

A. certreq.exe -retrieveB. certreq.exe -submitC. certutil.exe -getkeyD. certutil.exe -pulse


QUESTION 292Your network contains two Active Directory forests named contoso.com and adatum.com. The functional levelof both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory CertificateServices (AD CS) is configured in the contoso.com forest to allow users from both forests to automaticallyenroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate fromthe contoso.com certification authority (CA).What should you configure in the adatum.com domain?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.

C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.


QUESTION 293You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed:

Enterprise root certification authority (CA)Certificate Enrollment Web Service

"First Test, FirstPass" - www.lead2pass.com 111Microsoft 70-640 Exam

Certificate Enrollment Policy Web Service

You create a new certificate template.External users report that the new template is unavailable when they request a new certificate. You verify thatall other templates are available to the external users. You need to ensure that the external users can requestcertificates by using the new template.What should you do on Server1?

A. Run iisreset.exe /restart.B. Run gpupdate.exe /force.C. Run certutil.exe -dspublish.D. Restart the Active Directory Certificate Services service.


QUESTION 294Your network contains an enterprise root certification authority (CA). You need to ensure that a certificateissued by the CA is valid.What should you do?

A. Run syskey.exe and use the Update option.B. Run sigverif.exe and use the Advanced option.C. Run certutil.exe and specify the -verify parameter.D. Run certreq.exe and specify the -retrieve parameter.


QUESTION 295You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.Users are required to log on to the domain by using a smart card. Your company's corporate security policystates that when an employee resigns, his ability to log on to the network must be immediately revoked.An employee resigns. You need to immediately prevent the employee from logging on to the domain.What should you do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.


QUESTION 296You add an Online Responder to an Online Responder Array.You need to ensure that the new Online Responder resolves synchronization conflicts for all members of theArray.What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1."First Test, First Pass" - www.lead2pass.com 112Microsoft 70-640 Exam

B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.C. From the Online Responder Management Console, select the new Online Responder, and then select Set

as Array Controller.D. From the Online Responder Management Console, select the new Online Responder, and then select

Synchronize Members with Array Controller.


QUESTION 297Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterpriseroot certification authority (CA).You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping.You revoke a certificate issued to an external partner.You need to prevent the external partner from accessing the Web site.What should you do?

A. Run certutil.exe -crl.B. Run certutil.exe -delkey.C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.D. From Active Directory Users and Computers, modify the Contact object for the external partner.


QUESTION 298Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standardprimary zone.

You install a new domain controller named DC2 in the branch office.You install DNS on DC2.You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WANlink fails.What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.B. Configure the DNS server on DC2 to forward requests to DC1.C. Create a new secondary zone named ad.contoso.com on DC2.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.


QUESTION 299Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNSservers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that thecontoso.com zone has multiple entries for the host names of computers that do not exist.You need to configure the contoso.com zone to automatically remove expired records.What should you do?


A. Enable only secure updates on the contoso.com zone.B. Enable scavenging and configure the refresh interval on the contoso.com zone.C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone.


QUESTION 300Your company has a main office and a branch office. The company has a single-domain Active Directory forest.The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. Thebranch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domaincontrollers hold the DNS Server server role and are configured as Active Directory- integrated zones. The DNSzones only allow secure updates.You need to enable dynamic DNS updates on DC3.What should you do?

A. Run the Ntdsutil.exe DS Behavior commands on DC3.B. Run the Dnscmd.exe /ZoneResetType command on DC3.C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.D. Create a custom application directory partition on DC1. Configure the partition to store Active Directory-

integrated zones.


QUESTION 301Your company has an Active Directory domain named contoso.com. The company network has two DNSservers named DNS1 and DNS2.The DNS servers are configured as shown in the following table:

DNS1 DNS2

_msdcs.contoso.com .(root)contoso.com _msdcs.contoso.comcontoso.com

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to InternetWeb sites.You need to enable Internet name resolution for all client computers.What should you do?

A. Create a copy of the .(root) zone on DNS1.B. Update the list of root hints servers on DNS2.C. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.D. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.


QUESTION 302Your company has a main office and five branch offices that are connected by WAN links. The


company has an Active Directory domain named contoso.com. Each branch office has a member serverconfigured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com.You need to configure the contoso.com zone to resolve client queries for at least four days in the event that aWAN link fails.What should you do?

A. Configure the Expires after option for the contoso.com zone to 4 days.B. Configure the Retry interval option for the contoso.com zone to 4 days.C. Configure the Refresh interval option for the contoso.com zone to 4 days.D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.


QUESTION 303Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com.You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computersin a DNS domain named fabrikam.com.Fabrikam.com has a DHCP server and a DNS server.Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has an A recordin the fabrikam.com DNS zone.What are two possible ways to achieve this goal?(Each correct answer presents a complete solution. Choose two.)

A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.


QUESTION 304Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server2008 R2. All domain controllers are configured as DNS servers. You have a standard primary zone fordev.contoso.com that is stored on a member server.

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.What should you do?

A. On the member server, create a stub zone.B. On the member server, create a NS record for each domain controller.C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the forest.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.



QUESTION 305You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.You need to record all inbound DNS queries to the server.What should you configure in the DNS Manager console?

A. Enable debug logging.B. Enable automatic testing for simple queries.C. Enable automatic testing for recursive queries.D. Configure event logging to log errors and warnings.


QUESTION 306Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in theForestDnsZones Active Directory application partition. You have a member server that contains a standardprimary DNS zone for dev.contoso.com. You need to ensure that all domain controllers can resolve names for

dev.contoso.com.What should you do?

A. Create a NS record in the contoso.com zone.B. Create a delegation in the contoso.com zone.C. Create a standard secondary zone on a Global Catalog server.D. Modify the properties of the SOA record in the contoso.com zone.


QUESTION 307Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.You have an Active Directory-integrated zone for contoso.com.You have a UNIX-based DNS server.You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.comzone to the UNIX-based DNS server.What should you do in the DNS Manager console?

A. Disable recursion.B. Create a stub zone.C. Create a secondary zone.D. Enable BIND secondaries.


QUESTION 308Your network consists of an Active Directory forest that contains one domain named contoso.com. All domaincontrollers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com. You need to ensure a user is able to modify records in thecontoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone.


What should you do?

A. From the DNS Manager console, modify the permissions of the contoso.com zone.B. From the DNS Manager console, modify the permissions of the nwtraders.com zone.C. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.D. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers

organizational unit (OU).


QUESTION 309Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory

domain named intranet.fabrikam.com.Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.B. Configure conditional forwarding for the intranet.fabrikam.com domain.C. Create a standard secondary zone for the intranet.fabrikam.com domain.D. Create an Active Directory-integrated zone for the intranet.fabrikam.com domain.


QUESTION 310Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllersnamed DC1 and DC2. Both domain controllers have the DNS Server server role installed.You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 toforward all unresolved name requests to DNS1.contoso.com. You discover that the DNS forwarding option isunavailable on DC2. You need to configure DNS forwarding on the DC2 server to point to theDNS1.contoso.com server. Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Clear the DNS cache on DC2.B. Delete the Root zone on DC2.C. Configure conditional forwarding on DC2.D. Configure the Listen On address on DC2.


QUESTION 311Your network consists of an Active Directory forest that contains one domain. All domain controllers runWindows Server 2008 R2 and are configured as DNS servers.You have an Active Directory- integrated zone.You have two Active Directory sites. Each site contains five domain controllers.You add a new NS record to the zone.You need to ensure that all domain controllers immediately receive the new NS record.


What should you do?

A. From the DNS Manager console, reload the zone.B. From the Services snap-in, restart the DNS Server service.C. From the command prompt, run repadmin /syncall.D. From the DNS Manager console, increase the version number of the SOA record.


QUESTION 312You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSserver for contoso.com.You install the DNS Server server role on a member server named Server1 and then you create a standardsecondary zone for contoso.com.You configure DC1 as the master server for the zone.You need to ensure that Server1 receives zone updates from DC1.What should you do?

A. On Server1, add a conditional forwarder.B. On DC1, modify the permissions of contoso.com zone.C. On DC1, modify the zone transfer settings for the contoso.com zone.D. Add the Server1 computer account to the DNSUpdateProxy group.


QUESTION 313Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2and are configured as DNS servers.A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller namedDC2 has a standard secondary zone for contoso.com. You need to ensure that the replication of thecontoso.com zone is encrypted.You must not lose any zone data.What should you do?

A. On both servers, modify the interface that the DNS server listens on.B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.C. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.D. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the

secondary zone.


QUESTION 314Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. Thedomain controllers run Windows Server 2008 R2 and are configured as DNS servers.You plan to create a new Active Directory-integrated zone.You need to ensure that the new zone is only replicated to four of your domain controllers.What should you do first?

A. Create a new delegation in the ForestDnsZones application directory partition."First Test, First Pass" - www.lead2pass.com 118Microsoft 70-640 Exam

B. Create a new delegation in the DomainDnsZones application directory partition.C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.D. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.

Correct Answer: DSection: (none)

Explanation

QUESTION 315Your network consists of a single Active Directory domain.You have a domain controller and a member server that run Windows Server 2008 R2. Both servers areconfigured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7.You have a standard primary zone on the domain controller. The member server hosts a secondary copy of thezone.You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.What should you do first?

A. On the member server, add a conditional forwarder.B. On the member server, install Active Directory Domain Services.C. Add all computer accounts to the DNSUpdateProxy group.D. Convert the standard primary zone to an Active Directory-integrated zone.


QUESTION 316Your company has an Active Directory domain. The main office has a DNS server named DNS1 that isconfigured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 thatcontains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.You add a new server to the main office. Five minutes after adding the server, a user from the branch officereports that he is unable to connect to the new server. You need to ensure that the user is able to connect tothe new server.What should you do?

A. Clear the cache on DNS2.B. Reload the zone on DNS1.C. Refresh the zone on DNS2.D. Export the zone from DNS1 and import the zone to DNS2.


QUESTION 317You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What is theminimal forest functional level that you should use?

A. Windows Server 2008 R2B. Windows Server 2008C. Windows Server 2003D. Windows 2000



QUESTION 318Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers runWindows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level isWindows 2000.You need to ensure the UPN suffix for contoso.com is available for user accounts.What should you do first?

A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.C. Add the new UPN suffix to the forest.D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to

contoso.com.


QUESTION 319Your company,A. Datum Corporation, has a single Active Directory domain named intranet.adatum.com. Thedomain has two domain controllers that run Windows Server 2008 R2 operating system.The domain controllers also run DNS servers.The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamicupdates setting configured to Secure only. A new corporate security policy requires that theintranet.adatum.com DNS zone must be updated only by domain controllers or member servers.You need to configure the intranet.adatum.com zone to meet the new security policy requirement.Which two actions should you perform?(Each correct answer presents part of the solution. Choose two.)

A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zoneproperties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNSzone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of theintranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tabof the intranet.adatum.com DNS zone properties.


QUESTION 320You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configuredas DNS servers. The domain contains one Active Directory- integrated DNS zone. You need to ensure thatoutdated DNS records are automatically removed from the DNS zone.What should you do?

A. From the properties of the zone, modify the TTL of the SOA record.B. From the properties of the zone, enable scavenging.C. From the command prompt, run ipconfig /flushdns.D. From the properties of the zone, disable dynamic updates.



QUESTION 321Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off fortwelve weeks. The administrator receives an error message that authentication has failed. You need to ensurethat the user is able to log on to the computer. What should you do?

A. Run the netsh command with the set and machine options.B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the

domain.C. Run the netdom TRUST /reset command.D. Run the Active Directory Users and Computers console to disable, and then enable the computer account.


QUESTION 322Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance,HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in theexhibit. (Click the Exhibit button.)

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solutionmust prevent GPO1 from being applied to users in the Dev OU. What should you do?

A. Enforce GPO1.B. Modify the security settings of the Dev OU.C. Link GPO1 to the Finance OU.D. Modify the security settings of the Finance OU.



QUESTION 323Your network contains an Active Directory domain. The domain contains an organizational unit (OU) namedOU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed serviceaccounts from being deleted accidentally from OU1. Which cmdlet should you use?

A. Set-ADUserB. Set-ADOrganizationalUnitC. Set-ADServiceAccountD. Set-ADObject


QUESTION 324Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writabledomain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllersrun Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remotesite. The solution must minimize the amount of replication traffic that occurs during the installation of ActiveDirectory Domain Services (AD DS) on DC3. What should you do first?

A. Run dcpromo.exe /createdcaccount on DC3.B. Run ntdsutil.exe on DC2.C. Run dcpromo.exe /adv on DC3.D. Run ntdsutil.exe on DC1.


QUESTION 325Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers areconfigured as global catalog servers.You remove the global catalog role from a domain controller named DC5. You need to reclaim the hard diskspace used by the global catalog on DC5.What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).B. From Active Directory Sites and Services, modify the general properties of DC5.

C. From Ntdsutil, use the Semantic database analysis option.D. From Ntdsutil, use the Files option.


QUESTION 326A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone aredomain controllers.You add multiple DNS records to the zone.You need to ensure that the new records are available on all DNS servers as soon as possible.Which tool should you use?


A. LdpB. RepadminC. NtdsutilD. NslookupE. Active Directory Sites And Services consoleF. Active Directory Domains And Trusts consoleG. DnslintH. Dnscmd


QUESTION 327You have a DNS zone that is stored in a custom application partition. You need to add a domain controller tothe replication scope of the custom application partition. Which tool should you use?

A. DNScmdB. DNS ManagerC. Server ManagerD. Dsmod


QUESTION 328Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has theActive Directory Certificate Services (AD CS) role installed. You configure a certificate template namedTemplate1 for autoenrollment. You discover that certificates are not being issued to any client computers. Theevent logs on the client computers do not contain any autoenrollment errors. You need to ensure that all of theclient computers automatically receive certificates based on Template1. What should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).B. Modify the Default Domain Controllers Policy Group Policy object (GPO).

C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.D. Restart Certificate Services on Server1.


QUESTION 329Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) roleinstalled.You need to perform an automated installation of an AD LDS instance.Which tool should you use?

A. Dism.exeB. Servermanagercmd.exeC. Adaminstall.exeD. Ocsetup.exe



QUESTION 330Your network contains an Active Directory domain named contoso.com. A partner company has an ActiveDirectory domain named nwtraders.com. The networks for contoso.com and nwtraders.com connect to eachother by using a WAN link.You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on theInternet.What should you do first?

A. Modify the Trusted Root Certification Authorities store.B. Modify the Intermediate Certification Authorities store.C. Create conditional forwarders.D. Add a root hint to the DNS server.


Explanation/Reference:"First Test, First Pass" - www.lead2pass.com 124About Lead2pass.com

Lead2pass.com was founded in 2006. We provide latest & high quality IT Certification Training ExamQuestions, Study Guides, Practice Tests. Lead the way to help you pass any IT Certification exams, 100%Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper,Check Point, LPI, Nortel, EXIN and so on.

Our Slogan: First Test, First Pass.

Help you to pass any IT Certification exams at the first try.

You can reach us at any of the email addresses listed below.

Sales: [email protected]

Support: [email protected]

Technical Assistance Center: [email protected]

Any problems about IT certification or our products, you could rely upon us, we will give you satisfactoryanswers in 24 hours.


Documents

Lead2pass.Microsoft.70-640.v12.39 - GRATIS EXAM · 4/27/2012 · "First Test, First Pass" - 4 Microsoft 70-640 Exam C. Revoke the current key recovery agent certificates and issue